Invariance  of  Conjunctions 
of  Polynomial  Equalities 

for  Algebraic  Differential  Equations 
Khalil  Ghorbal^  Andrew  Sogokon^ 
Andre  Platzer^ 

July  2014 
CMU-CS-14-122 


School  of  Computer  Science 
Carnegie  Mellon  University 
Pittsburgh,  PA,  15213 


To  appear  [15]  in  the  Proeeedings  of  the 
21st  International  Statie  Analysis  Symposium  (SAS  2014), 
11-13  September  2014,  Munieh,  Germany. 


^  Carnegie  Mellon  University,  Computer  Seienee  Department,  Pittsburgh,  PA,  USA 

{kghorbal|aplatzer}@cs  .  emu  .  edu 

^  University  of  Edinburgh,  LEGS,  Sehool  of  Informaties,  Edinburgh,  Seotland,  UK 

a . sogokon@sms .ed.ac.uk 


This  material  is  based  upon  work  supported  by  the  National  Science  Foundation  by  NSF  CAREER  Award  CNS- 
1054246,  NSF  EXPEDITION  CNS-0926181,  CNS-0931985,  DARPA  PA8750- 12-2-0291  and  EPSRC  EP/I010335/1. 
The  views  and  conclusions  contained  in  this  document  are  those  of  the  authors  and  should  not  be  interpreted  as 
representing  the  official  policies,  either  expressed  or  implied,  of  any  sponsoring  institution  or  government. 


Report  Documentation  Page 


Form  Approved 
0MB  No.  0704-0188 


Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 
VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  0MB  control  number. 


1.  REPORT  DATE 

JUL  2014 


2.  REPORT  TYPE 


4.  TITLE  AND  SUBTITLE 

Invariance  of  Conjunctions  of  Polynomial  Equalities  for  Algebraic 
Differential  Equations 

6.  AUTHOR(S) 


7.  PEREORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Carnegie  Mellon  University, School  of  Computer 
Science, Pittsburgh, PA, 15213 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 


3.  DATES  COVERED 

00-00-2014  to  00-00-2014 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 


10.  SPONSOR/MONITOR’S  ACRONYM(S) 

11.  SPONSOR/MONITOR’S  REPORT 
NUMBER(S) 


12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

In  this  paper  we  seek  to  provide  greater  automation  for  formal  deductive  verification  tools  working  with 
continuous  and  hybrid  dynamical  systems.  We  present  an  efficient  procedure  to  check  invariance  of 
conjunctions  of  polynomial  equalities  under  the  flow  of  polynomial  ordinary  differential  equations.  The 
procedure  is  based  on  a  necessary  and  sufficient  condition  that  characterizes  invariant  conjunctions  of 
polynomial  equalities.  We  contrast  this  approach  to  an  alternative  one  which  combines  fast  and  sufficient 
(but  not  necessary)  conditions  using  differential  cuts  for  soundly  restricting  the  system  evolution  domain. 

15.  SUBJECT  TERMS 


16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 

18.  NUMBER 

19a.  NAME  OE 

ABSTRACT 

OF  PAGES 

RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Same  as 
Report  (SAR) 

37 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Keywords:  algebraic  invariant,  high-order  Lie  derivation,  differential  equation,  automated 
checking,  proof  rules,  continuous  dynamics,  formal  verification 


Abstract 

In  this  paper  we  seek  to  provide  greater  automation  for  formal  deduetive  verifieation  tools  working 
with  eontinuous  and  hybrid  dynamieal  systems.  We  present  an  effieient  proeedure  to  eheek  invari- 
anee  of  eonjunetions  of  polynomial  equalities  under  the  flow  of  polynomial  ordinary  differential 
equations.  The  proeedure  is  based  on  a  neeessary  and  suffieient  eondition  that  eharaeterizes  invari¬ 
ant  eonjunetions  of  polynomial  equalities.  We  eontrast  this  approaeh  to  an  alternative  one  whieh 
eombines  fast  and  suffieient  (but  not  neeessary)  eonditions  using  differential  euts  for  soundly  re- 
strieting  the  system  evolution  domain. 


1  Introduction 


The  problem  of  reasoning  about  invariant  sets  of  dynamical  systems  is  of  fundamental  importance 
to  verification  and  modern  control  design  [3,  27,  35,  31].  A  set  is  an  invariant  of  a  dynamical 
system  if  no  trajectory  can  escape  from  it.  Of  particular  interest  are  safety  assertions  that  describe 
states  of  the  system  which  are  deemed  safe;  it  is  clearly  important  to  ensure  that  these  sets  are 
indeed  invariant. 

Hybrid  systems  combine  discrete  and  continuous  behavior  and  have  found  application  in  mod¬ 
elling  a  vast  quantity  of  industrially  relevant  designs,  many  of  which  are  safety-critical.  In  order  to 
verify  safety  properties  in  hybrid  models,  one  often  requires  the  means  of  reasoning  about  safety  in 
continuous  systems.  This  paper  focuses  on  developing  and  improving  the  automation  of  reasoning 
principles  for  a  particular  class  of  invariant  assertions  for  continuous  systems  -  conjunctions  of 
polynomial  equalities;  these  can  be  used,  e.g.  to  assert  the  property  that  certain  values  (temper¬ 
ature,  pressure,  water  level,  etc.)  in  the  system  are  maintained  at  a  constant  level  as  the  system 
evolves. 

In  practice,  it  is  highly  desirable  to  have  the  means  of  deciding  whether  a  given  set  is  invariant 
in  a  particular  dynamical  system.  It  is  equally  important  that  such  methods  be  efficient  enough  to 
be  of  practical  utility.  This  paper  seeks  to  address  both  of  these  issues.  The  contributions  of  this 
paper  are  twofold: 

•  It  extends  differential  radical  invariants  [14]  to  obtain  a  characterization  of  invariance  for  al¬ 
gebraic  sets  under  the  flow  of  algebraic  differential  equations.  It  also  introduces  an  optimized 
decision  procedure  to  decide  the  invariance  of  algebraic  sets. 

•  It  explores  an  approach  combining  deductively  less  powerful  rules  [19,  33,  22,  30]  using 
differential  cuts  [28]  to  exploit  the  structure  of  the  system  to  yield  efficient  proofs  even  for 
non-polynomial  systems.  Furthermore,  differential  cuts  [28]  are  shown  to  fundamentally 
improve  the  deductive  power  of  Lie’s  criterion  [19]. 

The  two  approaches  to  proving  invariance  of  conjunctive  equational  assertions  explored  in  this  pa¬ 
per  are  complementary  and  aim  at  improving  proof  automation — deductive  power  and  efficiency — 
in  deductive  formal  verification  tools. 

Content.  In  Section  2,  we  recall  some  basic  definitions  and  concepts.  Section  3  introduces 
a  new  proof  rule  to  check  the  invariance  of  a  conjunction  of  polynomial  equations  along  with 
an  optimized  implementation.  Section  4  presents  another  novel  approach  to  check  invariance  of  a 
conjunction;  it  leverages  efficient  existing  proof  rules  together  with  differential  cuts  and  differential 
weakening.  An  automated  proof  strategy  that  builds  on  top  of  this  idea  is  given  in  Sections. 
The  average  performance  of  these  different  approaches  is  assessed  using  a  set  of  32  benchmarks 
(Section  6). 


1 


2  Preliminaries 


Let  X  =  (xi, . . .  ,Xn)  ■  M”,  and  x(t)  =  {xi(t), . . .  ,Xn(t)),  where  :  M  — )■  M,  t  h-)-  Xi(t).  The 
ring  of  polynomials  over  the  reals  will  be  denoted  by  M[a;i, . . . ,  Xn\-  We  consider  autonomous^ 
differential  equations  described  by  polynomial  vector  fields. 

Definition  1  (Polynomial  Vector  Field).  Let  Pi,  1  <  i  <  n,  be  multivariate  polynomials  in  the 
polynomial  ring  M[a3].  A  polynomial  vector  field,  p,  is  an  explicit  system  of  ordinary  differential 
equations  with  polynomial  right-hand  side: 


-^  =  Xi=Pi{x),  l<i<n.  (1) 

One  important  problem  is  that  of  checking  the  invariance  of  a  variety  (or  algebraic  set),  with 
evolution  domain  constraints  H\  that  is,  we  ask  whether  a  polynomial  conjunction  /ii  =  0  A  ■  ■  ■  A 
hr  =  0,  initially  true,  holds  true  in  all  reachable  states^  that  satisfy  the  evolution  domain  con¬ 
straints.  The  problem  is  equivalent  to  the  validity  of  the  following  formula  in  differential  dynamic 
logic  [27]: 

(/ii  =  0  A  ■  ■  ■  A  /ir  =  0)  — )■  [i  =  p  &  i7]  (/ii  =  0  A  ■  ■  ■  A  /ir  =  0)  (2) 

where  [x  =  pk.  H]il)  is  true  in  a  state  x^  if  the  postcondition  ip  is  true  in  all  states  reachable  from 
ajt — satisfying  H — by  following  the  differential  equation  x  =  p  for  any  amount  of  time  as  long  as 
H  is  not  violated.  For  simplicity,  for  a  polynomial  h  in  x,  we  write  h  =  0  for  h{x)  =  0. 

Geometrically,  the  dL  formula  in  Eq.  (2)  is  true  if  and  only  if  the  solution  x{f),t  >  0,  of  the 
initial  value  problem  fx  =  p,  a;(0)  =  x,),  with  hfxfj  =  0  for  i  =  1, . . . ,  r,  is  a  real  root  of  the 
system  /ii  =  0, . . . ,  /i,,  =  0  as  long  as  it  satisfies  the  constraints  H. 

The  algebraic  counterpart  of  varieties  are  ideals.  Ideals  are  sets  of  polynomials  that  are  closed 
under  addition  and  external  multiplication.  That  is,  if  /  is  an  ideal,  then  for  all  hi,h2  G  I,  the  sum 
/ii  +  /i2  G  /;  and  if  h  e  I,  then,  qh  G  I,  for  all  q  G  R[xi . . . ,  Xn]. 

We  will  use  V/i  to  denote  the  gradient  of  a  polynomial  h,  that  is  the  vector  of  its  partial  deriva¬ 
tives  . . . ,  The  Lie  derivative  of  a  polynomial  h  along  a  vector  field  p  is  defined  as 
follows  (the  symbol  denotes  the  scalar  product): 

£p(/i)  vh-p  =  J2^P^  •  (3) 

i=l  * 

Higher-order  Lie  derivatives  are:  2p''~^\h)  =  Qp{£,p\h)),  where  £,p\h)  =  h. 

'Autonomous  means  that  the  rate  of  change  of  the  system  over  time  depends  only  on  the  system’s  state,  not  on 
time.  Non-autonomous  systems  with  time  dependence  can  be  made  autonomous  by  adding  a  new  state  variable  to 
account  for  the  progress  of  time. 

^Reachable  states  implicitly  means  that  we  focus  on  positive  time  invariance,  that  is  the  time  variable  t  is  assumed 
to  be  non-negative. 
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3  Characterizing  Invariance  of  Conjunctive  Equations 


In  this  section  we  give  an  exact  characterization  of  invariance  for  conjunctions  of  polynomial 
equalities  under  the  flow  of  algebraic  differential  equations  and  assuming  that  the  evolution  domain 
constraint  H  is  an  open  set.^  The  characterization,  as  well  as  the  proof  rule,  generalize  our  previous 
work  which  handles  purely  equational  invariants  of  the  form  /i  =  0  without  considering  evolution 
domains  (that  is  if  =  M”,  which  is  open). 

The  differential  radical  invariants  proof  rule  DRI  [14,  Theorem  2]  has  been  shown  to  be  a 
necessary  and  sufficient  criterion  for  the  invariance  of  equations  of  the  form  /i  =  0: 


(DRI) 


ft  -  0  Ato‘  =  0 

/l  =  0— )-[£C=p]/ft  =  0 


(4) 


The  order  N  >1  denotes  the  length  of  the  chain  of  ideals  {h)  C  (/i,  2p{h))  C  ■  ■  ■  which  reaches  a 
fixed  point  after  finitely  many  steps  by  the  ascending  chain  property  of  Noetherian  rings.  Thus,  the 
order  N  is  always  finite  and  computable — using  Gobner  Bases  [5] — for  polynomials  with  rational 
coefficients.  The  premise  of  the  proof  rule  DRI  is  a  real  quantifier  elimination  problem  and  can  be 
solved  algorithmically  [6]. 

A  naive  approach  to  prove  invariance  of  a  conjunction  hi  =  0  A  ■  ■  ■  A  hr  =  0,  without  evolu¬ 
tion  domain  constraints,  is  to  use  the  proof  rule  DRI  together  with  the  following  sum-of-squares 
equivalence  from  real  arithmetic: 


hi  =  0  A  ■  ■  ■  A  hr  =  0  =R  ^  h^  =  0  .  (5) 

i=l 

Sums-of-squares  come  at  the  price  of  doubling  the  polynomial  degree,  thereby  increasing  the  com¬ 
plexity  of  checking  the  premise  (Section  3.2  discusses  the  link  between  polynomial  degree  and 
the  complexity  of  DRI-based  proof  rules).  Instead,  we  present  an  extension  of  the  proof  rule 
DRI  that  exploits  the  underlying  logical  structure  of  conjunctions.  For  a  conjunction  of  equations 
hi  =  0  A  ■  ■  ■  A  hr  =  0,  the  order  N  is  generalized  to  the  length  of  the  chain  of  ideals  formed  by  all 
the  polynomials  hi, ...  ,hr  and  their  successive  Lie  derivatives: 

/  =  {hi,...,  hr)  c  {hi,...,hr,2p{hi),...,2p{hr))  c  {hi, . . . ,  2l^\hr))  ■  ■  ■  (6) 

Theorem  1  (Conjunctive  Differential  Radical  Characterization).  Let  hi, . . .  ,hr  G  M[a;]  and  let  H 
denote  some  open  evolution  domain  constraint.  Then,  the  conjunction  hi  =  Q  A  ■■■  A  hr  =  is 
invariant  under  the  flow  of  the  vector  field  p,  subject  to  the  evolution  constraint  H,  if  and  only  if 

r  r  N—1 

/\£<;>(fc,)=0  .  (7) 

j=l  j=l  i=l 

where  N  denotes  the  order  of  the  conjunction. 

^We  will  briefly  discuss  the  case  when  H  is  an  arbitrary  set  later.  We  leave  the  formal  treatment  of  the  general  case 
as  a  future  work. 
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Here  h  is  used,  as  in  sequent  calculus,  to  assert  that  whenever  the  constraint  H  (antecedent) 
is  satisfied,  then  at  least  one  (in  this  case,  the  only)  formula  to  the  right  of  h  is  also  true.  The 
detailed  proof  can  be  found  Appendix  A.  When  the  evolution  domain  constraints  are  dropped 
(H  =  True)  and  r  =  1  (one  equation),  one  recovers  exactly  the  statement  of  [14,  Theorem  2]  which 
characterizes  invariance  of  atomic  equations.  Intuitively,  Theorems  says  that  on  the  invariant 
algebraic  set,  all  higher-order  Lie  derivatives  of  each  polynomial  hi  must  vanish.  It  adds  however  a 
crucial  detail:  checking  finitely  many — exactly  N — higher-order  Lie  derivatives  is  both  necessary 
and  sufficient.  The  theorem  does  not  check  for  invariance  of  each  conjunct  taken  separately,  rather 
it  handles  the  conjunction  simultaneously.  The  order  is  a  property  of  the  ideal  chain  formed 
by  all  the  polynomials  and  their  Lie  derivatives.  If  A*  denotes  the  order  of  each  atom  hi  taken 
separately,  then  one  can  readily  see  that 

N  <  max  Ni  .  (8) 

i 

The  equality  does  not  hold  in  general:  consider  for  instance  hi  =  Xi,  h2  =  X2  and  p  =  {x2,Xi). 
Since  2p\hi)  =  hi,  for  i  =  1,2,  we  have  Ni  =  N2  =  2.  However, 

{xi,X2)  =  {hi,h2)  C  {hi,h2,Qp{hi),Qp{h2))  =  {xi,  X2,  X2,  Xi)  =  {xi,X2), 

which  means  that  N  =  1.  This  example  highlights  one  of  the  main  differences  between  this  work 
and  the  characterization  given  in  [21,  Theorem  24],  where  the  criterion  is  given  by 

p  p  Nj  —  1 

/fh/\fc,=0^/\  /\  £®(A,)=0  ,  (9) 

j=l  j=l  i=l 

The  computation  of  each  order  Nj  requires  solving  Nj  ideal  membership  problems.  One  can  ap¬ 
preciate  the  difference  with  the  criterion  of  Theorem  3  which  only  requires  N  ideal  membership 
checks  for  the  entire  conjunction.  In  the  worst  case,  when  N  =  Nk  =  max*  Ni,  Theorems  per¬ 
forms  j^k  ^3  fewer  ideal  membership  checks  compared  to  the  criterion  of  Eq.  (9).  A  smaller 
order  N  confers  an  additional  benefit  of  reducing  the  cost  of  quantifier  elimination — discussed  in 
Section  3.2 — ^by  bringing  down  both  the  total  number  of  polynomials  and  their  maximum  degree. 

Remark  1  (Reducing  the  Differential  Radical  Order  Using  the  Evolution  Domain  Constraint). 
Ideally,  one  should  also  account  for  H  when  computing  N.  When  H  is  an  algebraic  set,  its 
generators  should  be  appended  to  the  ideal  {hi, . . . ,  hr).  We  leave  the  semi-algebraic  case  for 
future  work.  For  instance,  consider  the  vector  field  p  =  {x2  —  l,a;i  —  2)  and  the  candidate 
h  =  X2  —  I  subject  to  FI  ■.  xi  —  2  =  D.  The  differential  radical  order  of  {x2  —  1)  is  2.  If  we  consider 
H,  the  ideal  to  consider  would  be  {xi  —  2,X2  —  1)  leading  to  N  =  1. 


Using  Theorems,  the  differential  radical  invariant  proof  rule  DRI  [14]  generalizes  to  conjunc¬ 
tions  of  equations  with  evolution  domain  constraints  as  follows: 


(DRR) 


H  E  (A;=i  hi  =  0)  ^  A;=i  =  0 

(Aj=i  hj  =  D)  ^[x=pkH]  (A^Ai  A  =  0) 


(10) 


Next,  we  implement  the  proof  rule  DRR  and  discuss  its  theoretical  complexity. 
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Algorithm  1:  Checking  invariance  of  a  conjunction  of  polynomial  equations. 

Data:  H  (evolution  domain  constraints),  p  (vector  field),  x  (state  variables) 

Data:  hi, ...  ,hr  (conjunction candidate) 

Result:  True  if  and  only  if  /ii  =  0  A  . . .  A  /i,,  =  0  is  an  invariant  of[x  =  p&:  H] 

1  N^l 

2  1  ^  {hi, . . . ,  hr}  II  Elements  of  the  chain  of  ideals 

3  L  {hi, . . . ,  hr}  II  Work  list  of  polynomial  to  derive 

4  symbs  ^  Variables[p,  hi, . . .  ,hr\ 

5  while  True  do 

6  GB  ^  GrobnerBasis[I,  x] 

7  LD  ^  //  Work  list  of  Lie  derivatives  not  in  I 

8  foreach  f  in  L  do 

9  LieD  LieDerivative[(',  p,  x] 

10  Rem  PolynomialRemainder[LieD,  GB,  x] 

11  if  Rem  ^  0  then 

12  ^  LD  ^  LD  U  LieD 

13  ifLD  =  {}then 

14  1^  return  True 

15  else 

16  foreach  f  in  LD  do 

17  if  QE[V  symbs  (i^'  A  /ii  =  0  A  ■  ■  ■  A  =  0  — )■  f  =  0)]  7^  True  then 

18  return  False 

19  I  ^  GB  U  LD 

20  TV  TV  +  1 

21  L  —  LD 


3.1  Decision  Procedure 

To  check  the  validity  of  the  premise  in  the  proof  rule  DRI/^,  one  needs  to  compute  the  order  TV  and 
to  decide  a  purely  universally  quantified  sentence  in  the  theory  of  real  arithmetic.  These  two  tasks 
do  not  have  to  be  performed  in  that  precise  order.  We  present  an  algorithm  that  computes  TV  on  the 
fly  while  breaking  down  the  quantifier  elimination  problem  into  simpler  sub-problems. 

Algorithm  1  implements  the  proof  rule  DRI/\.  The  algorithm  returns  True  if  and  only  if  the 
candidate  is  an  invariant.  The  variable  TV  strictly  increases  and  converges,  from  below,  toward 
the  finite  unknown  order  TV.  It  is  therefore  a  decision  procedure  for  the  invariance  problem  with 
conjunctive  equational  candidates. 

At  each  iteration  of  the  while  loop  it  checks  whether  a  fixed  point  of  the  chain  of  ideals  has 
been  reached,  implying  TV  =  TV.  To  this  end,  it  computes  a  Grobner  basis  (GB)  of  the  ideal  I  (line 
2),  containing  the  polynomials  hi  as  well  as  their  respective  higher-order  Lie  derivatives  up  to  the 
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derivation  order  N  —  1.  Then  it  enters  a  foreach  loop  (line  8),  where  it  computes  the  iVth  order 
Lie  derivatives  and  their  respective  reductions  (or  remainders)  (LieD)  by  the  Grobner  basis  GB. 

All  Lie  derivatives  with  non-zero  remainders  are  stored  in  the  list  LD  (line  12).  If  the  list  is  empty, 
then  all  iVth  Lie  derivatives  are  in  the  ideal  I :  the  fixed  point  of  the  chain  of  ideals  is  reached, 
and  N  =  N.  This  also  means  that  True  can  be  returned  since  all  prior  quantifier  elimination  calls 
returned  True.  Otherwise,  the  outermost  while  loop  (line  5)  needs  to  be  executed  one  more  time 
after  increasing  N  (line  20).  Before  re-executing  the  while  loop,  however,  we  make  sure  that  the 
premise  of  the  proof  rule  DRI/\  holds  up  to  N.  Since  in  this  case,  we  know  that  N  <  N,  if  the 
quantifier  elimination  fails  to  discharge  the  premise  of  the  proof  rule  DRR  at  N,  then  we  do  not 
need  to  go  any  further  as  the  invariance  property  is  already  falsified. 

The  while  loop  decomposes  the  right  hand  side  of  the  implication  in  Eq.  (10)  along  the  con¬ 
junction  the  Rh  iteration  checks  whether  the  conjunction  Aj=i  ^p^hj  vanishes.  The  main 

purpose  of  the  foreach  loop  in  line  16  is  to  decompose  further  the  conjunction  A^i  the 
logical  equivalence  a  — )■  (6  A  c)  =  (a  — )■  6)  A  (a  — )■  c)  for  any  boolean  variables  a,  b,  and  c.  This 
leads  to  more  tractable  problems  of  the  form: 

r 

Hh  /\hj  =  0^  =  0  .  (11) 

i=i 

Observe  that  the  quantifier  elimination  problem  in  line  17  performs  a  universal  closure  for  all 
involved  symbols — state  variables  and  parameters —  denoted  by  symbs  and  determined  once  at 
the  beginning  of  the  algorithm  using  the  procedure  Variables  (line  4).  Besides,  the  quantifier 
elimination  problem  in  line  17  can  be  readily  adapted  to  explicitly  return  extra  conditions  on  the 
parameters  to  ensure  invariance  of  the  given  conjunction.  When  the  algorithm  returns  False,  any 
counterexample  to  the  quantifier  elimination  problem  of  line  17  can  be  used  as  an  initial  condition 
for  a  concrete  counterexample  that  falsifies  the  invariant. 

3.2  Complexity 

Algorithm  1  relies  on  two  expensive  procedures:  deciding  purely  universally  quantified  sentences 
in  the  theory  of  real  arithmetic  (line  17)  and  ideal  membership  of  multivariate  polynomials  using 
Grobner  bases  (line  6).  We  discuss  their  respective  complexity. 

Quantifier  elimination  over  the  reals  is  decidable  [36].  The  purely  existential  fragment  of  the 
theory  of  real  arithmetic  has  been  shown  to  exhibit  singly  exponential  time  complexity  in  the 
number  of  variables  [1].  Theoretically,  the  best  bound  on  the  complexity  of  deciding  a  sentence 
in  the  existential  theory  of  M  is  given  by  where  s  is  the  number  of  polynomials  in  the 

formula,  d  their  maximum  degree  and  n  the  number  of  variables  [1].  However,  in  practice  this  has 
not  yet  led  to  an  efficient  decision  procedure,  so  typically  it  is  much  more  efficient  to  use  partial 
cylindrical  algebraic  decomposition  (PC AD)  due  to  Collins  &  Hong  [6],  which  has  running  time 
complexity  doubly-exponential  in  the  number  of  variables. 

Ideal  membership  of  multivariate  polynomials  with  rational  coefficients  is  complete  for  EXPSPACE 
[23].  Grobner  bases  [5]  allow  membership  checks  in  ideals  generated  by  multivariate  polynomials. 
Significant  advances  have  been  made  for  computing  Grobner  bases  [11,  12]  which  in  practice  can 
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be  expected  to  perform  very  well.  The  degree  of  the  polynomials  involved  in  a  Grobner  basis  com¬ 
putation  can  be  very  large.  Theoretically,  a  Grobner  basis  may  contain  polynomials  with  degree 
2^  [24].  The  degrees  of  all  the  polynomials  involved  are  bounded  by  0{(P'")  [10].  Grobner  bases 
are  also  highly  sensitive  to  the  monomial  order  arranging  the  different  monomials  of  a  multivariate 
polynomial  (see,  e.g.,  [8,  Chapter  2]  for  formal  definitions).  The  Degree  Reverse  Lexicographic 
(degrevlex)  order  gives  (on  average)  Grobner  bases  with  the  smallest  total  degree  [2],  although 
there  exist  known  examples  (cf.  Mora’s  example  in  [18])  for  which,  even  for  the  degrevlex 
monomial  ordering,  the  (reduced)  Grobner  basis  contains  a  polynomial  of  total  degree  0{d?‘).  Fi¬ 
nally,  the  rational  coefficients  of  the  generators  of  Grobner  bases  may  become  involved  (compared 
to  the  rational  coefficients  of  the  original  generators  of  the  ideal),  which  can  have  a  negative  impact 
on  the  running  time  and  memory  requirements. 

3.3  Optimization 

The  theoretical  complexity  of  both  the  quantifier  elimination  and  Grobner  bases  algorithms  sug¬ 
gests  several  opportunities  for  optimization  for  Algorithm  1 .  The  maximal  degree  of  the  polynomi¬ 
als  appearing  in  H  is  assumed  to  be  fixed.  We  can  reduce  the  polynomial  degrees  in  the  right-hand 
side  of  the  implication  in  Eq.  (11)  as  follows:  by  choosing  a  total  degree  monomial  ordering  (e.g. 
degrevlex),  the  remainder  Rem  has  at  most  the  same  total  degree  as  LieD;  replacing  LieD  by 
Rem  serves  to  reduce  (on  average)  the  cost  of  calling  a  quantifier  elimination  procedure.  Lem.  1 
proves  that  substituting  LieD  by  its  remainder  Rem  in  line  17  does  not  compromise  correctness. 

Lemma  1.  Let  q  be  the  remainder  of  the  reduction  of  the  polynomial  s  by  the  Grobner  basis  of  the 
ideal  generated  by  the  polynomials  hi, ...  ,hr.  Then, 

hi  =  0A---A  hr  =  0^s  =  0  if  and  only  if  hi  =  0A---A/i,.  =  0— )-g  =  0  . 

Proof  By  construction,  we  have  s  =  Y^\=i  oiihi  +  q  for  some  polynomials  a*.  Therefore,  the 
conjunction  /ii  =  0  A  ■  ■  ■  A  =  0  implies  that  s  —  g  =  0,  or  equivalently  s  =  q,  and  the  lemma 
follows.  □ 

The  same  substitution  reduces  the  Grobner  basis  computation  cost  since  it  attempts  to  keep  a 
low  maximal  degree  in  all  the  polynomials  appearing  in  the  generators  of  the  ideal  I .  Lem.  2  shows 
that  it  is  safe  to  perform  this  substitution:  the  ideal  I  remains  unchanged  regardless  of  whether  we 
choose  to  construct  the  list  LD  using  LieD  or  Rem. 

Lemma  2.  Let  q  be  the  remainder  of  the  reduction  of  the  polynomial  s  by  the  Grobner  basis  of  the 
ideal  generated  by  the  polynomials  hi, ...  ,hr.  Then, 

{hi,...,hr,s)  =  {hi,...,hr,q)  ■ 

Proof  By  construction,  we  have  s  =  XlLi  +  7  some  polynomials  o;*.  Therefore,  s  G 
{hi,. . . ,  hr,  q)  and  g  G  {hi,...,hr,  s),  which  respectively  leads  to 

{hi, . . . ,  hr,  s)  C  {hi, ... ,  hr,  q)  and  {hi, . . . ,  hr,  s)  ^  {hi, ... ,  hr,  q).  □ 
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(DI=) 


H  h  £p(/i)  =  0 


(/i  =  0)  — )■  [x  =  p  k.  H]{h  =  ^) 


(P-c) 


H  h  £p(ft)  e  (h) 


{h  =  ^  [x  =  p  k  H]{h  =  ^) 


AI=/  fi'*  =  0h/i  =  0-^  ('2p(/i)  =  0  A  rank(V5fi, . . . ,  Vfiffc-i,  V/i)  =  /c) 


(Lie^ 


(/i  =  0)  [i  =  p  &  A!=i  S'*  =  0](/i  =  0) 


(Lieo) 


//  h  /i  =  0  ^  (£p(/i)  =  0  A  V/i  A  0) 

(/i  =  0)  — )■  [i  =  p  &  =  0) 


(DW) 


F 


Hh  F 

X  =  p  kH  ]F 


Figure  1:  Proof  rules  for  checking  the  invariance  of  ft,  =  0  w.r.t.  the  vector  field  p:  DI=  [30,  Theorem  3],  P-c  [33, 
Lemma  2],  Lie,  Lieo  based  on  [26,  Theorem  2.8],  DW  [29,  Lemma  3.6] 


Although  this  optimization  reduces  the  total  degree  of  the  polynomials  involved,  the  coeffi¬ 
cients  of  the  remainder  q  may  get  more  involved  than  the  coefficients  of  the  original  polynomial  s. 
In  Section  6  we  give  an  empirical  comparison  of  the  optimized — as  detailed  in  this  section — versus 
the  unoptimized  version  of  Algorithm  1 . 


4  Sufficient  Conditions  for  Invariance  of  Equations 

The  previous  section  dealt  with  a  method  for  proving  invariance  which  is  both  necessary  and 
sufficient  for  conjunctions  of  polynomial  equalities.  Given  the  proof  rule  DRI^,  it  is  natural  to  ask 
whether  previously  proposed  sufficient  proof  rules  are  still  relevant.  After  all,  theoretically,  DRA 
is  all  that  is  required  for  producing  proofs  of  invariance  in  this  class  of  problems.  This  is  a  perfectly 
legitimate  question;  however,  given  the  complexity  of  the  underlying  decision  procedures  needed 
for  DRIa  it  is  perhaps  not  surprising  that  one  will  eventually  face  scalability  issues.  This,  in  turn, 
motivates  a  different  question  -  can  one  use  proof  rules  (which  are  perhaps  deductively  weaker 
than  DRIa)  in  such  a  way  as  to  attain  more  computationally  efficient  proofs  of  invariance? 

Before  addressing  this  question,  this  section  will  review  existing  sufficient  proof  rules  which 
allow  reasoning  about  invariance  of  atomic  equational  assertions.  In  Fig.  I,  DI=  shows  the  equa- 
tional  differential  invariant  [28]  proof  rule.  The  condition  is  sufficient  (but  not  necessary)  and 
characterizes  polynomial  invariant  functions  [28,  30].  The  premise  of  the  Polynomial-consecution 
rule  [33,  22],  P-c  in  Fig.  1,  requires  £<p{h)  to  be  in  the  ideal  generated  by  h.  This  condition  is  also 
only  sufficient  and  was  mentioned  as  early  as  1878  [9].  The  Lie  proof  rule  uses  Lie’s  criterion 
[19,  26,  30]  for  invariance  of  =  0  and  characterizes  smooth  invariant  manifolds,  while  Lieo  is  a 
common  variant  that  assumes  the  evolution  constraint  H  provided  that  it  defines  an  open  set. 

Remark  2.  In  an  earlier  version,  Lieo  was  incorrectly  represented  as  Lie,  which  only  applies  to 
instances  where  H  is  open.  See  [26,  30]  for  more  information  about  Lie’s  criterion. 

The  rule  DW  is  called  differential  weakening  [29]  and  covers  the  trivial  case  when  the  evolution 
constraint  implies  the  invariant  candidate;  in  contrast  to  all  other  rules  in  the  table,  DW  can  work 
with  arbitrary  invariant  assertions. 
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Unlike  the  necessary  and  sufficient  condition  provided  by  the  rule  DRI  (see  Eq.  (4)),  all  the 
other  proof  rules  in  Figure  1  only  impose  sufficient  conditions  and  may  thus  fail  at  a  proof  even  in 
cases  when  the  candidate  is  indeed  an  invariant. 

The  purpose  of  all  the  rules  shown  in  Figure  1,  save  perhaps  DW,  is  to  show  invariance  of 
atomic  equations.  However,  in  general,  one  faces  the  problem  F  — )■  [x  =  p  H]C,  where  F  is  a 
formula  defining  a  set  of  states  where  the  system  is  initialized,  and  C  is  the  post-condition  where 
the  system  always  enters  after  following  the  differential  equation  x  =  p  as  long  as  the  domain 
constraint  H  is  satisfied. 

One  way  to  prove  such  a  statement  is  to  find  an  invariant  /  which  is  true  initially  (i.e.  F  — )■  I), 
is  indeed  an  invariant  for  the  system  (/  — )■  [i  =  p  &  H]I),  and  implies  the  post-condition  (/  — )■  C). 
These  conditions  can  be  formalized  in  the  proof  rule  [31] 

,F^I  I^[x  =  p^H]I  I^C 

- F^[i^pkH]C - ■ 

In  this  paper  we  consider  the  special  case  when  the  invariant  is  the  same  as  the  post-condition,  so 
we  can  drop  the  last  clause  and  the  rule  becomes 

,F^C  C^[x  =  p^H]C 

- F^li^pkH]C - ■ 

In  the  following  sections,  we  will  be  working  in  a  proof  calculus,  rather  than  considering  a 
single  proof  rule,  and  will  call  upon  this  definition  in  the  proofs  we  construct. 


5  Differential  Cuts  and  Lie’s  Rule 

When  considering  a  conjunctive  invariant  candidate  /ii  =  0  A  /i2  =  0  A  ■  ■  ■  A  =  0,  it  may  be 
the  case  that  each  conjunct  considered  separately  is  an  invariant  for  the  system.  Then,  one  could 
simply  invoke  the  following  basic  result  about  invariant  sets  to  prove  invariance  of  each  atomic 
formula  individually. 

Proposition  1.  Let  Si,  S2  F  be  invariant  sets  for  the  differential  equation  x  =  p,  then  the  set 
Si  n  S2  is  also  an  invariant. 

Corollary  1.  The  proof  rule 

,  .hi  =  0^[x=p  hH  ]/ii  =  0  /i2  =  0  — )■  [i  =  p  ]/i2  =  0 

/ii  =  0  A  /i2  =  0  — )■  [i  =  p  &Fr  ](/ii  =  0  A  /i2  =  0) 

is  sound  and  may  be  generalized  to  accommodate  arbitrarily  many  conjuncts. 

Of  course,  one  still  needs  to  choose  an  appropriate  proof  rule  from  Figure  1  (or  DRI)  in  order 
to  prove  invariance  of  atomic  equational  formulas.  For  purely  polynomial  problems  it  would  be 
natural  to  attempt  a  proof  using  DRI  first,  but  in  the  presence  of  transcendental  functions,  one  may 
need  to  resort  to  other  rules.  In  general  however,  even  if  the  conjunction  defines  an  invariant  set. 
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the  individual  conjuncts  need  not  themselves  be  invariants.  If  such  is  the  case,  one  cannot  simply 
break  down  the  conjunctive  assertion  using  the  rule  Ainv  and  prove  invariance  of  each  conjunct 
individually.  In  this  section,  we  explore  using  a  proof  rule  called  differential  cut  (DC)  to  address 
this  issue. 

Differential  cuts  were  introduced  as  a  fundamental  proof  principle  for  differential  equations  [28] 
and  can  be  used  to  (soundly)  strengthen  assumptions  about  the  system  evolution. 


Proposition  2  (Differential  Cut  [28]).  The  proof  rule 

^  F^[x=p]F 

where  C  and  F  denote  quantifier-free  first-order  formulas,  is  sound. 


Remark  3.  The  rule  Ainv  fnay  in  fact  be  derived  from  DW,  Inv,  and  DC. 

One  may  appreciate  the  geometric  intuition  behind  the  rule  DC  if  one  realizes  that  the  left 
branch  requires  one  to  show  that  the  set  of  states  satisfying  C  is  an  invariant  for  the  system  initial¬ 
ized  in  any  state  satisfying  F .  Thus,  the  system  does  not  admit  any  trajectories  starting  in  F  that 
leave  C  and  hence  by  adding  C  to  the  evolution  constraint,  one  does  not  restrict  the  behavior  of 
the  original  system. 

Differential  cuts  may  be  applied  repeatedly  to  the  effect  of  refining  the  evolution  constraint 
with  more  invariant  sets.  It  may  be  profitable  to  think  of  successive  differential  cuts  as  showing  an 
embedding  of  invariants  in  a  system. 

There  is  an  interesting  connection  between  differential  cuts  and  embeddings  of  invariant  sub¬ 
manifolds,  when  used  with  the  proof  rule  Lie.  To  develop  this  idea,  let  us  remark  that  if  one 
succeeds  at  proving  invariance  of  some  /ii  =  0  using  the  rule  Lie  in  a  system  with  no  evolution 
constraint,  one  shows  that  /ii  =  0  is  a  smooth  invariant  sub-manifold  of  MF.  If  one  now  considers 
the  system  evolving  inside  that  invariant  manifold  and  finds  some  /i2  =  0  which  can  be  proved 
to  be  invariant  using  Lie  with  hi  =  0  acting  as  an  evolution  constraint,  then  inside  the  manifold 
hi  =  0,  h2  =  0  defines  an  invariant  sub-manifold  (even  in  cases  when  /i2  =  0  might  not  define  a 
sub-manifold  of  the  ambient  space  M”).  One  can  proceed  using  Lie  in  this  way  to  look  for  further 
embedded  invariant  sub-manifolds.  We  will  illustrate  this  idea  using  a  basic  example. 

Example  1  (Differential  cut  with  Lie).  Let  the  system  dynamics  be  p  =  (xi,  —X2).  This  system  has 
an  equilibrium  at  the  origin,  i.e.  p(0)  =  0.  Consider  an  invariant  candidate  Xi  =  0  Axi  —  0:2  =  0. 
One  cannot  use  Lie  directly  to  prove  the  goal 


xi  =  0  A  xi  —  a;2  =  0  — )■  [i  =  p]  (xi  =  0  A  xi  —  a;2  =  0)  . 

Indeed,  rewriting  xi  =  D  f\  xi  —  X2  =  II  as  x\  +  {xi  —  X2Y  =  0  and  attempting  to  use  Lie  will  not 
succeed  as  h  =  D  ^  V(a;f  -f  {xi  —  X2)^)  =  0. 

Instead,  DC  can  be  used  to  cut  by  xi  =  0,  which  is  an  invariant  for  this  system  provable  using 
Lie.  The  left  branch  of  DC  is  proved  as  follows: 
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CM 


■^1 


Figure  2:  System  invariant  xi  =  0  (left)  used  in  a  differential  cut  to  show  that  the  intersection  at  the  origin  (right) 
is  an  invariant. 


(Inv) 


xi  =  0  A  xi  —  a;2  =  0  — )■  xi  =  0 


(Lie) 


Xi  =  0  — )■  Xi  =  0  A  (1  7^  0) 


Xi  =  0  — )■  [i  =  p]  Xi  =  0 


Xi  =  0  A  Xi  —  a;2  =  0  — )■  [i  =  p]  Xi  =  0 
One  can  also  prove  that  Xi  —  X2  =  ^  is  a  invariant  under  the  evolution  constraint  Xi  =  0.‘ 


xi  =  0  h  xi  —  3)2  =  0  ^  +  3)2  =  0  A  rank(V(3)i),  V(3)l  —  3)2))  =  2 

3)1  —  3)2  =  0  ^  [a?  =  p  &  3)1  =  0]  3)1  —  3)2  =  0 


^ ^ 

^  3)1  =  0  — >■  [£C  =  P  62  3)1  =  OJ  3)1  =  0 

3)1  =  0  A  3)1  —  3)2  =  0  ^  [a?  =  P  3)1  =  0]  {x\  =  0  A  3)1  —  3)2  =  0) 

Using  these  two  sub-proofs  to  close  the  appropriate  branches,  the  rule  DC  proves 


xi  =  0  A  xi  —  a;2  =  0  — )■  [i  =  p  ]  (xi  =  0  A  xi  —  a;2  =  0). 


While  this  example  is  very  simplistic,  it  provides  a  good  illustration  of  the  method  behind  differen¬ 
tial  cuts.  We  used  DC  to  restrict  system  evolution  to  an  invariant  manifold  Xi  =  0  using  Lie  and 
then  used  Lie  again  to  show  that  Xi  —  X2  =  0  defines  an  invariant  sub-manifold  inside  Xi  =  0. 
This  is  illustrated  in  Fig.  2. 

It  is  also  worth  noting  that  the  choice  of  conjunct  for  use  in  the  differential  cut  was  crucial. 
Had  we  initially  picked  xi  —  X2  =  to  act  as  C  in  DC,  the  proof  attempt  would  have  failed,  since 
this  does  not  define  an  invariant  sub-manifold  ofMf  (see  Fig.  2). 

Let  us  now  remark  that  by  employing  DC,  we  proved  invariance  of  a  conjunction  which  could 
not  be  described  by  an  atomic  equational  assertion  which  is  provable  using  the  rule  Lie,  or  by 
using  Lie  to  prove  invariance  of  each  conjunct  after  breaking  down  the  conjunction  with  the  rule 
Ainv  It  has  previously  been  shown  that  differential  cuts  increase  the  deductive  power  of  the  system 
when  used  in  concert  with  differential  invariants  [28,  31,  30].  We  prove  that  the  same  is  true  for 
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differential  cuts  with  Lie.  Indeed,  differential  cuts  serve  to  address  some  of  the  limitations  inherent 
in  both  DI=  and  Lie. 

Theorem  2.  The  deductive  power  of  Lie  together  with  DC  is  strictly  greater  than  that  of  Lie 
considered  separately.  We  write  this  as  DC  +  Lie  >-  Lie. 

Proof  In  Example  1  we  demonstrate  the  use  of  Lie  together  with  DC  to  prove  invariance  of  a 
conjunction  of  polynomial  equalities  which  is  not  provable  using  Lie  alone.  To  see  this,  suppose 
that  for  the  system  in  Example  1  there  exists  some  real- valued  differentiable  function  g{x)  whose 
zero  level  set  is  precisely  the  origin,  i.e.  {g{x)  =  0)  =  (a;  =  0).  Then,  for  all  a;  G  \  {0} 
this  function  evaluates  to  g{x)  >  0  or  g{x)  <  0  (by  continuity  of  g{x))  and  0  is  thus  the  global 
minimum  or  global  maximum,  respectively.  In  either  case,  g{x)  =  0  V g{x)  =  0  is  valid, 
which  cannot  satisfy  the  premise  of  Lie.  □  □ 

Similar  to  the  embedding  of  invariants  observed  when  combining  differential  cuts  with  Lie 
proof  rule,  we  briefly  explore  an  intriguing  connection  between  the  use  of  differential  cuts  together 
with  DI=  and  higher  integrals  of  dynamical  systems. 

The  premise  of  the  rule  DI=  establishes  that  h{x)  is  a  first  integral  (i.e.  a  constant  of  motion) 
for  the  system  in  order  to  conclude  that  /i  =  0  is  an  invariant.  More  general  notions  of  invariance 
have  been  introduced  to  study  integrability  of  dynamical  systems.  Eor  instance,  h{x)  is  a  second 
integral  if  2^p{h)  =  ah,  where  a  is  some  function;  this  is  also  sufficient  to  conclude  that  h  =  0 
is  an  invariant.  Let  us  remark  that  in  a  purely  polynomial  setting,  such  an  /i  G  M[a3]  is  known  as 
a  Darboux  polynomial  [16,  9]  and  the  condition  corresponds  to  ideal  membership  in  the  premise 
of  P-c.  Going  further,  a  third  integral  is  a  function  h{x)  that  remains  constant  on  some  level  set 
of  a  first  integral  g{x)  [16,  Section  2.6],  i.e.  2.p{h)  =  ag  where  g  isa  first  integral  and  a  is  some 
function.  These  ideas  generalize  to  higher  integrals  (see  [16,  Section  2.7]). 

Example  2  (Deconstructed  aircraft  [30]  -  differential  cut  with  DI=).  Consider  the  system  x  =  p  = 
{—X2,  xs,  —X2)  and  consider  the  invariant  candidate  x\  +  X2  =  ^  f\  xz  =  xi.  One  cannot  use  DI= 
directly  to  prove  the  goal 

xl  +  xl  =  1  A  X3  =  Xi  ^  [x  =  p]  {xl  +  xl  =  1  A  X3  =  Xi)  . 

We  can  apply  DC  to  cut  by  xi  =  X3,  which  is  a  first  integral  for  the  system  and  is  thus  provable 
using  DI=.  The  left  branch  o/DC  is  proved  as  follows: 


(R) 

(Iiiv) 


/v>2  I  /v>2 

tju ^  '^‘2 


(DI=) 


-X2  =  -X2 


1  A  Xs  =  Xi  — )■  Xs  =  Xi  '  ^  x^  =  Xi  ^  [x  =  pjxs  =  Xi 

x\  +  xi  =  A  xz  =  xi  ^  [x  =  p]x^  =  xi 


For  the  right  branch  o/DC  we  need  to  show  that  x^  +  x^  =  1  is  an  invariant  under  the  evolution 
constraint  X3  =  Xi.  This  is  again  provable  using  DI=.- 
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(DW) 

(Alnv) 


X3  =  XI  —>■  [x  =  P  Sz  X3  =  xi]  X3  =  XI 


(DI=) 


X3  =  xi  h  —2x1X2  +  2x2x3  =  0 

+  Xj  =  1  — ^  [i  =  p  &  X3  =  xi]  Xj  +  Xj  =  1 


x^  +  x|  =  1  A  X3  =  xi  ^  [i  =  p  &  X3  =  xi]  (x^  +  x|  =  1  A  X3  =  xi) 


We  can  now  construct  a  proof  of  invariance  for  the  conjunction  using  DC. 

Note  that  in  this  example,  we  have  only  ever  had  to  resort  to  the  rule  DI=  for  showing  in¬ 
variance  of  an  equational  candidate.  We  first  showed  that  X3  —  Xi  is  an  invariant  function  (first 
integral)  for  the  system.  After  restricting  the  evolution  domain  to  the  zero  set  of  the  first  integral, 
x^  —  xi  =  0,  we  proved  that  the  polynomial  x\  +  x"^  —  ^  is  conserved  in  the  constrained  system.  In 
this  example  we  have  2p{x1  +  —  1)  =  —2xiX2  +  2x2X3  =  2x2{x3  —  xi),  where  {xs  —  xf)  is  a 

first  integral  of  the  system.  Thus,  x^  x 2  —  I  is  in  fact  a  (polynomial)  third  integral. 


5.1  Proof  Strategies  using  Differential  Cuts 

Differential  euts  ean  be  used  to  seareh  for  a  proof  of  invariance  of  conjunctive  equational  assertions. 
This  involves  selecting  some  conjunct  /i*  =  0  to  cut  by  (that  is  use  it  as  C  in  DC).  If  the  conjunct 
is  indeed  an  invariant,  it  will  be  possible  to  strengthen  the  evolution  domain  constraint  and  proceed 
in  a  similar  fashion  by  selecting  a  new  C  from  the  remaining  conjuncts  until  a  proof  is  attained. 
A  formal  proof  of  invariance  using  differential  cuts  can  be  quite  long  and  will  repeatedly  resort  to 
proof  rules  such  as  (Ainv)  (Eq.  (12))  and  DW  (Fig.  1),  which  is  used  to  prune  away  conjuncts  that 
have  already  been  added  to  the  evolution  domain  constraint. 


Algorithm  2:  DCS  ear  ch.  Differential  cut  proof  search 
Data:  [hi, . . . ,  hr},  p,  H 
Result:  True,  False. 

1  if  r  =  0  then 

2  ^  return  True 


3  else 

4  2  1 

5  while  2  <  r  do 

6  if  Inv(/ii,  iJ)  then 

7  if  DCSearch({/ii . . . ,  hr}  \  {hi},p,  H  A  hi 

8  1^  return  True 


9 

10 


else 

|_  2  2  +  1 


11 


return  False 


0)  then 


Our  proof  strategy  iteratively  selects  a  conjunct  with  which  to  attempt  a  differential  cut  as  a 
recursive  function  DCSearch,  shown  in  Algorithm  2.  Before  calling  this  function,  the  conjuncts 
are  put  into  ascending  order  with  respect  to  the  number  of  variables  appearing  in  the  conjunct. 
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For  purely  polynomial  problems,  the  ordering  is  also  ascending  with  respect  to  the  total  degree 
of  the  polynomials.  The  aim  of  this  pre-processing  step  is  to  ensure  that  conjuncts  which  are 
potentially  less  expensive  to  check  for  invariance  are  processed  first  (see  Section  3.2).  There  is  in 
general  no  easy  way  of  selecting  the  “right”  proof  rule  for  showing  invariance  of  atomic  equations 
(step  Inv  line  6  of  Algorithm  2);  a  possible,  albeit  not  very  efficient,  solution  would  be  to  iterate 
through  all  the  available  proof  rules.  This  would  combine  their  deductive  power,  but  could  also 
lead  do  diminished  performance.  In  practice,  selecting  a  good  proof  rule  for  atomic  invariants  is 
very  much  a  problem- specific  matter.  We  have  implemented  DCSearch  to  use  the  proof  rule  DI= 
before  trying  Lie. 

The  overall  proof  strategy,  if  successful,  would  lead  to  a  proof  tree  resembling  that  shown 
below.  The  proof  steps  labelled  with  ?  mark  choices  in  selecting  the  rule  for  atomic  invariants 
from  Figure  1 . 

?  - 

/ir  —  0  — >  [i  —  p  &  A^— /l,  —  0]  /ir  —  0 

(DC)  - - 

-  (DW)  - ^ -  (DC)  - ^ - 

0  h-i  —  0  —>  [x  —  p  hi  —  0]  hi  —  0  Ai^2  hi  —  0  —1  [x  —  p  ^  hi  —  0]  Ai^2  —  0 

-  (Ainv)  - 

Ai—i  —  0  — f  [x  —  p  Sz  hi  —  0]  Ai^i  hi  —  0 
Ai=i  hi  ^  0  [x  =  p]  Ai=i  hi  =  0 

5.2  Performance  and  Limitations 

Unlike  with  purely  automated  methods,  such  as  DRI/^,  knowledge  about  the  system  is  often  crucial 
for  differential  cuts  to  be  effective;  however,  this  knowledge  can  sometimes  be  used  to  construct 
proofs  that  are  more  computationally  efficient.  We  have  identified  an  example  (shown  in  Ex.  3) 
with  13  state  variables  which  defeats  the  current  implementation  of  DRI/\  and  which  is  easily  prov¬ 
able  using  differential  cuts  together  with  both  DI=  and  Lie  (solved  quickly  by  running  DCSearch). 

Though  very  much  an  artificial  problem,  it  demonstrates  that  structure  in  the  problem  can  some¬ 
times  be  exploited  to  yield  efficient  proofs  using  DC.  This  is  especially  useful  for  large  systems 
with  many  variables  where  the  structure  of  the  problem  is  well-understood.  Additionally,  we  see 
that  a  combination  of  proof  rules  (DI=,  Lie,  DC)  can  be  both  helpful  and  efficient. 


/\l—l  hi  =  0  hi  =  0  hi  =  0  — [aj  =  p]  = 

Ar=l  hi  =  0  [x  =  p]  hi  =  0 
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Example  3.  Consider  the  system 

Xi  =  —292xt{—1  +  xl  +  Xy  +  1 

X2  =  -292a;8(-l  +  xl  +  Xy  + 

X3  =  -42(2x10  +  2xio  +  2x9)  (-3  +  6x10  +  a;io  +  2x10X9  +  2X13X9  +  Xg)^^ 

X4  =  -42(12x10  +  4xfo  +  2x9  +  6x103:9)  (-3  +  6x10  +  x^q  +  2x10X9  +  2xfgXg  +  Xg)^\ 

X5  =  — 2xi3(— 1  +  3:13  +  3:11X13), 
xe  =  -2xi2(-1  +  X12  +  3:11X12), 

X7  =  26(— 6x1X2  +  4X1X2  +  2x1X2)  (1  —  8X1X2  +  X1X2  +  XiX^)^^, 
xs  =  26(— 6x1X2  +  2x3X2  +  4x1X2)  (1  —  8x1X2  +  X1X2  +  x\x\Y^, 

Xg  =  14(4X3X4  +  2X3X4  —  6X3X4X5)(x3X4  +  X3X4  —  3X3X4X5  +  X®)^^, 

XlO  =  14(2X3X4  +  4X3X4  —  6X3X4X5)(x3X4  +  X3X4  —  3X3X4X5  +  X®)^^, 

Xll  =  14(— 6X3X4X5  +  6X5)(x3X4  +  X3X4  —  3X3X4X5  +  Xg)^^, 

X12  =  292x6(-1  +  Xg  +  X7  +  xlY^^, 

3:13  =  -3:13- 

Suppose  the  invariant  candidate  is  given  by  the  following  conjunction: 

Xi3  =  0  A  ((3:1X2  +  X1X2  —  3X1X2  +  1)^^)^  + 

((x^x^  +  x^x^  -  3x^x^x^  +  xlYf  + 

{{-l  +  xl  +  x^.  +  xlYY^  + 

((—3  +  6x10  +  Xio  +  2x10X9  +  2X10X9  +  3:9)^^)^  + 

(xi2  +  X11X12  -  1)^  =  0. 

By  using  a  differential  cut  to  restrict  the  evolution  domain  to  the  invariant  smooth  manifold  X13  =  0 
(using  the  rule  Liej,  one  obtains  a  system  for  which  the  sum-of-squares  conjunct  is  a  Hamiltonian 
and  thus  a  first  integral;  this  can  be  easily  proved  to  be  a  system  invariant  using  the  rule  DI=. 
Naively  attempting  to  use  DRI/\  takes  an  unreasonable  amount  of  time  due  to  the  high  degrees 
involved,  while  the  proof  involving  DC  takes  under  a  second  for  both  branches,  provided  the  right 
rules  are  selected  to  prove  invariance  of  atoms. 

While  differential  cuts  can  serve  to  increase  the  deductive  power  of  sufficient  proof  rules,  there 
are  invariant  conjunctions  of  equalities  for  which  applying  DC  on  the  conjuncts  given  in  the  prob¬ 
lem  will  altogether  fail  to  be  fruitful.  This  is  due  to  DCSearch  relying  on  the  fact  that  at  least  some 
of  the  conjuncts  considered  individually  are  invariants  for  the  system,  which  may  not  be  the  case 
even  if  the  conjunction  is  invariant. 

6  Experiments 

In  this  section,  we  empirically  compare  the  performance  of  three  families  of  proof  rules  for  check¬ 
ing  the  invariance  of  conjunctions:  (1)  DRI-related  proof  rules  including  SoSDRI  (DRI  plus 
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5  10  15  20  25  30 

Number  of  problems  solved 


—  SoSDRI 

—  SoSDRI-OPT 

—  Liu  et  al.[16] 
DCSearch 

—  DRIA 

—  DRIA-OPT 


Figure  3:  Empirical  performance  comparison  of  different  proof  rules  and  strategies.  The  total  number  of  problems 
solved  each  in  at  most  ts  (log  scale)  is  given  in  the  x-axis  for  each  method. 


sum-of-squares  rewriting),  DRI^  as  well  as  their  optimized  versions  as  detailed  in  Section  3.3, 
(2)  DCSearch:  the  differential  cut  proof  search  presented  in  Section  5.1,  and  (3)  the  Liu  et  al. 
procedure  [21]  applied  to  a  conjunction  of  equalities. 

We  do  not  consider  domain  constraints,  i.e.  H  =  M”.  In  Fig.  3,  the  pair  (fc,  t)  in  the  plot  of 
a  proof  rule  P  reads:  the  proof  rule  P  solved  k  problems  each  in  less  than  t  seconds.  The  set 
of  benchmarks  contains  32  entries  composed  of  equilibria  (16),  singularities  (8),  higher  integrals 
(4)  and  abstract  examples  (4).  The  examples  we  used  in  our  benchmarks  originate  from  a  num¬ 
ber  of  sources  -  many  of  them  come  from  textbooks  on  Dynamical  Systems;  others  have  been 
hand-crafted  to  exploit  sweetspots  of  certain  proof  rules.  For  instance,  we  constructed  Hamilto¬ 
nian  systems,  systems  with  equilibria  and  systems  with  smooth  invariants  of  various  polynomial 
degrees.  The  most  involved  example  has  13  state  variables,  a  vector  field  with  a  maximum  total 
degree  of  291  and  an  invariant  candidate  with  total  degree  of  146.  It  should  be  noted  that  these 
benchmarks  are  not  necessarily  representative,  but  nevertheless,  an  important  first  step  towards  a 
more  comprehensive  empirical  analysis  we  hope  to  pursue. 

For  a  third  example,  all  DRI-related  proof  rules  timed  out  after  60s  in  one  example  which  was 
discharged  by  DCSearch  in  less  than  6s.  The  detailed  results  are  given  Fig.  4.  The  benchmarks 
themselves  can  be  found  in  Appendix  B. 

One  can  clearly  see  that  for  the  considered  set  of  examples,  the  proof  rule  DRI/^  is  much 
more  efficient  on  average  compared  to  SoSDRI  as  it  solves  31 — out  of  32 — in  less  than  0.1s  each. 
The  optimization  discussed  in  Section  3.3  yields  a  slight  improvement  in  the  performance  of  both 
SoSDRI  and  DRR.  Notice  that  the  performance  imporvement  is  manifested  more  clearly  when 
compared  with  SoSDRI,  where  the  polynomials  involved  have  large  degrees.  In  most  examples, 
both  DRR  and  DRR-OPT  are  very  efficient.  We  also  noticed  for  another  example — featuring 
the  Motzkin  polynomial — that  SoSDRI-OPT  timed  out  whereas  SoSDRI  was  able  to  check  the 
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Problem 

Dim 

d.Inv 

d.VF 

SoSDRI 

SoSDRI-OPT 

Liu-Zhan-Zhao 

DCSearch 

DRI  A 

DRI  A -OPT 

0.000 

0.000 

0.093 

0.000 

0.000 

0.000 

TVue 

(N=l) 

True 

(N=l) 

True 

True 

True 

(N=l) 

True 

(N=l) 

0.000 

0.000 

0.004 

0.001 

0.000 

0.000 

TVue 

(N=l) 

True 

(N=l) 

True 

True 

True 

(N=l) 

True 

(N=l) 

0.006 

0.004 

0.011 

0.003 

0.002 

0.002 

True 

(N=2) 

True 

(N=2) 

True 

True 

True 

(N=l) 

True 

(N=l) 

0.002 

0.003 

0.008 

0.005 

0.002 

0.002 

TVue 

(N=l) 

True 

(N=l) 

True 

True 

True 

(N=l) 

True 

(N=l) 

0.035 

0.023 

0.010 

0.004 

0.002 

0.002 

TVue 

(N=3) 

True 

(N=3) 

True 

True 

True 

(N=l) 

True 

(N=l) 

0.030 

0.023 

0.009 

0.004 

0.002 

0.002 

True 

(N=3) 

True 

(N=3) 

True 

True 

True 

(N=l) 

True 

(N=l) 

7 

1 

0.042 

0.021 

0.019 

0.014 

0.003 

0.003 

True 

(N=3) 

True 

(N=3) 

True 

True 

True 

(N=l) 

True 

(N=l) 

8 

0.149 

0.072 

0.018 

0.006 

0.003 

0.003 

True 

(N=4) 

True 

(N=4) 

True 

True 

True 

(N=l) 

True 

(N=l) 

0.020 

0.015 

0.018 

0.007 

0.003 

0.003 

True 

(N=2) 

True 

(N=2) 

True 

True 

True 

(N=l) 

True 

(N=l) 

10 

0.026 

0.018 

0.009 

0.005 

0.002 

0.002 

True 

(N=3) 

True 

(N=3) 

True 

True 

True 

(N=l) 

True 

(N=l) 

11 

>  60s 

>  60s 

0.036 

0.009 

0.005 

0.004 

Timeout 

Timeout 

True 

True 

True 

(N=l) 

True 

(N=l) 

12 

0.028 

0.024 

0.034 

0.010 

0.005 

0.005 

True 

(N=2) 

True 

(N=2) 

True 

True 

True 

(N=l) 

True 

(N=l) 

13 

>  60s 

1.842 

0.019 

0.008 

0.003 

0.003 

Timeout 

True 

(N=5) 

True 

True 

True 

(N=l) 

True 

(N=l) 

14 

>  60s 

>  60s 

0.073 

0.014 

0.006 

0.006 

Timeout 

Timeout 

True 

True 

True 

(N=l) 

True 

(N=l) 

15 

0.560 

0.692 

0.066 

0.014 

0.006 

0.006 

True 

(N=4) 

True 

(N=4) 

True 

True 

True 

(N=l) 

True 

(N=l) 

16 

0.287 

0.069 

0.034 

0.011 

0.005 

0.005 

True 

(N=4) 

True 

(N=4) 

True 

True 

True 

(N=l) 

True 

(N=l) 

17 

0.158 

0.055 

0.038 

0.019 

0.003 

0.003 

True 

(N=3) 

True 

(N=3) 

True 

True 

True 

(N=l) 

True 

(N=l) 

18 

0.041 

0.022 

0.014 

0.009 

0.003 

0.003 

True 

(N=3) 

True 

(N=3) 

True 

True 

True 

(N=l) 

True 

(N=l) 

19 

0.158 

0.100 

0.015 

0.007 

0.003 

0.003 

TVue 

(N=5) 

True 

(N=5) 

True 

True 

True 

(N=l) 

True 

(N=l) 

20 

0.041 

0.041 

0.012 

0.006 

0.003 

0.003 

TVue 

(N=2) 

True 

(N=2) 

True 

True 

True 

(N=l) 

True 

(N=l) 

21 

0.012 

0.011 

0.007 

0.004 

0.003 

0.002 

TVue 

(N=2) 

True 

(N=2) 

True 

True 

True 

(N=l) 

True 

(N=l) 

22 

0.349 

0.303 

0.050 

0.015 

0.011 

0.011 

True 

(N=2) 

True 

(N=2) 

True 

True 

True 

(N=l) 

True 

(N=l) 

23 

>  60s 

>  60s 

0.052 

0.150 

0.008 

0.008 

Timeout 

Timeout 

True 

True 

True 

(N=l) 

True 

(N=l) 

24 

11.65 

11.61 

0.020 

0.245 

0.006 

0.006 

TVue 

(N=2) 

True 

(N=2) 

True 

True 

True 

(N=l) 

True 

(N=l) 

25 

0.508 

0.142 

0.035 

0.010 

0.004 

0.004 

TVue 

(N=5) 

True 

(N=5) 

True 

True 

True 

(N=l) 

True 

(N=l) 

26 

0.002 

0.003 

0.013 

0.001 

0.003 

0.003 

True 

(N=l) 

True 

(N=l) 

True 

True 

True 

(N=l) 

True 

(N=l) 

27 

>  60s 

>  60s 

>  60s 

0.106 

0.009 

0.008 

Timeout 

Timeout 

Timeout 

True 

True 

(N=l) 

True 

(N=l) 

28 

6 

6 

>  60s 

>  60s 

>  60s 

0.560 

>  60s 

>  60s 

Timeout 

Timeout 

Timeout 

False 

Timeout 

Timeout 

29 

0.140 

0.127 

0.126 

0.008 

0.004 

0.003 

True 

(N=5) 

True 

(N=5) 

True 

True 

True 

(N=l) 

True 

(N=l) 

30 

6 

>  60s 

>  60s 

0.048 

0.019 

0.006 

0.006 

Timeout 

Timeout 

True 

True 

True 

(N=l) 

True 

(N=l) 

31 

17.75 

>  60s 

0.095 

0.058 

0.077 

0.056 

True 

(N=6) 

Timeout 

True 

False 

True 

(N=3) 

True 

(N=3) 

32 

13 

292 

291 

>  60s 

>  60s 

>  60s 

0.003 

>  60s 

>  60s 

Timeout 

Timeout 

Timeout 

True 

Timeout 

Timeout 

Figure  4:  Benchmarks 


invariance  in  15s. 

Remark  4.  There  is  a  slight  discrepancy  between  the  benchmarks  reported  in  [  15 ],  which  is  due  to 
a  software  bug  that  resulted  in  quickly  falsifying  example  28  with  the  optimized  version  o/DRI/^, 
while  all  the  other  necessary  and  sufficient  methods  timed  out. 
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Example  4.  The  Motzkin  polynomial,  given  by 


M{x,  y)  =  +  x'^y*  —  Sx'^y'^  +  1, 

is  often  associated  with  Hilbert’s  17'^  problem  (see  e.g.  [34]).  In  particular,  it  was  the  first  explicit 
example  of  a  non-negative  polynomial  which  is  not  a  sum-of- squares.  The  roots  of  M (x,  y)  are 
(1, 1),  (1,  —1),  (—1, 1),  (—1,  —1)  G  .  Let  us  consider  the  vector  field 

p{xi,X2)  =  ((xi  -  l)(a;i  +  1),  (x2  -  l)(x2  +  1)) 


under  which  the  set  of  roots  is  invariant  (illustrated  in  Fig.  5,  left).  Additionally,  let  us  introduce 


Figure  5:  Invariant  zero  level  set  M{x)  =  0  (left)  on  an  invariant  sub-space  in  (right). 


an  extra  dimension  for  which  we  construct  an  invariant  sub-space  x^  =  Q  by  adding  the  dynamics 
xs  =  —xs  (  Fig.  5,  right)  to  yield  an  augmented  vector  field  defined  on  i.e. 

p{xx,X2,xfj  =  ((xi  -  l)(xi  +  1),  (X2  -  1)(X2  +  1),  -xfj  . 

We  can  see  that  in  this  augmented  system  the  set  of  states  satisfying 

M(xi,  X2)  =  0  A  X3  =  0 


is  invariant  under  the  flow  ofx  =  p(xi,  X2,  X3). 

When  we  investigated  this  example,  it  turned  out  that  the  rational  coefficients  of  the  remainder 
became  more  involved  than  those  of  the  original  polynomial  before  performing  the  reduction.  For 
this  particular  example,  the  optimized  version  was  able  to  prove  invariance  in  SOOj'  which  is  20 
times  slower  than  the  unoptimized  version. 
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7  Related  Work 


In  this  paper  we  focus  on  checking  invariance  of  algebraic  sets  under  the  flow  of  polynomial  vector 
fields.  For  similar  techniques  used  to  automatically  generate  invariant  algebraic  sets  we  refer  the 
reader  to  the  discussion  in  [14]. 

Nagumo’s  Theorem  [3],  proved  by  Mitio  Nagumo  in  1942,  characterizes  invariant  closed  sets — 
a  superset  of  algebraic  sets — of  locally  Lipschitz-continuous  vector  fields — a  superset  of  polyno¬ 
mial  vector  fields.  The  geometric  criterion  of  the  theorem  is  however  intractable.  The  analyticity 
of  solutions  of  analytic  vector  fields — a  superset  of  polynomial  vector  fields — also  gives  a  power¬ 
ful,  yet  intractable,  criterion  to  reason  about  invariant  sets.  In  [35],  the  authors  attempted  to  define 
several  special  cases  exploiting  either  Nagumo’s  theorem  or  the  analyticity  of  solutions,  to  give 
proof  rules  for  checking  invariance  of  (closed)  semi-algebraic  sets  under  the  flow  of  polynomial 
vector  fields.  Liu  et  al.  in  [21]  also  used  analyticity  of  solutions  to  polynomial  ordinary  differen¬ 
tial  equations  and  extended  [35]  using  the  ascending  chain  condition  in  Noetherian  rings  to  ensure 
termination  of  their  procedure;  they  gave  a  necessary  and  sufficient  condition  for  invariance  of 
arbitrary  semi-algebraic  sets  under  the  flow  of  polynomial  vector  fields  and  proved  the  resulting 
conditions  to  be  decidable. 

We  develop  a  purely  algebraic  approach  where  the  ascending  chain  condition  is  also  used  but 
without  resorting  to  local  Taylor  series  expansions.  As  in  [21],  we  require  finitely  many  higher- 
order  Lie  derivatives  to  vanish;  what  is  different,  however,  is  the  definition  of  the  finite  number 
each  characterization  requires:  in  [21],  one  is  required  to  compute  orders  iVj  of  each  atom  hi  and 
to  prove  that  all  higher-order  Lie  derivatives  of  hi,  up  to  order  A*  —  1,  vanish.  We  state  a  weaker 
condition  as  we  only  require  that  all  higher-order  Lie  derivatives  of  hi  up  to  order  {N  —  1),  for 
all  i,  vanish.  A  straightforward  benefit  of  our  characterization  is  the  immediate  reduction  of  the 
computational  complexity  as  discussed  in  Section  3  and  shown  empirically  in  Section  6. 

Zerz  and  Walcher  [38]  have  previously  considered  the  problem  of  deciding  invariance  of  al¬ 
gebraic  sets  in  polynomial  vector  fields;  they  gave  a  sufficient  condition  for  checking  invariance 
of  algebraic  sets  which  can  be  seen  as  one  iteration  of  Algorithm  1.  Therefore,  Section  3  general¬ 
izes  their  work  by  providing  a  complete  characterization  of  invariant  algebraic  sets  in  polynomial 
vector  fields. 


8  Conclusion 

We  have  introduced  an  efficient  decision  procedure  (DRI/\)  for  deciding  invariance  of  conjunctive 
equational  assertions  for  polynomial  dynamical  systems.  We  have  explored  the  use  of  the  differ¬ 
ential  cut  rule  both  as  a  means  of  increasing  the  deductive  power  of  existing  sufficient  proof  rules 
and  also  as  a  way  of  constructing  more  computationally  efficient  proofs  of  invariance. 

The  empirical  performance  we  observe  in  the  optimized  implementations  of  DRI  and  DRR 
is  very  encouraging  and  we  are  confident  that  a  proof  strategy  in  a  deductive  formal  verification 
system  should  give  precedence  to  these  methods.  However,  certain  problems  fall  out  of  scope 
of  these  rules.  For  instance,  when  the  problems  involve  transcendental  functions,  or  still  take 
unreasonably  long  time  to  prove.  We  leave  these  interesting  questions  for  future  work. 
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A  Proof  of  Theorem  3 


In  [13,  Theorem  2],  we  characterized  the  invariance  of  a  polynomial  equality — of  the  form  h  = 
0 — for  a  polynomial  vector  field  x  =  p{x).  The  purpose  of  this  section  is  to  prove  Theorems 
(Sections),  an  extension  of  [13,  Theorem  2]  to  a  conjunction  of  polynomial  equalities,  i.e.  hi  = 
0  A  /i2  =  0  A  ■  ■  ■  A  /ir  =  0.  We  first  recall  some  basic  definitions  and  known  results  (Section  A.  1). 
The  proof  is  then  given  in  Section  A.2.  Unless  otherwise  specified,  the  evolution  domain  H  will 
be  considered  as  an  open  set  of  M”. 

A.l  Preliminaries 

Polynomial  functions  are  smooth  (C°°,  i.e.  they  have  derivatives  of  any  order),  they  are  locally 
Lipschitz-continuous.  By  Cauchy-Lipschitz  theorem  (a.k.a.  Picard-Lindelof  theorem)  [20],  the 
initial  value  problem  {x  =  p,  a;(0)  =  x^),  for  some  x^  G  admits  a  unique  maximal  solution 
x{t)  defined  for  t  G  U,  where  U  is  some  nonempty  open  set  (interval)  in  M  that  contains  zero. 

The  orbit  of  x{t)  is  defined  as  follows: 

Definition  2  (Orbit).  The  orbit  of  the  solution  ofDef.  1,  x{t)  is  defined  as 

0{xfi  =  {a;(t)  \  teU}CW^  . 

Since  we  are  interested  in  forward  reachability,  we  restrict  in  addition  the  orbit  to  non-negative 
time: 

Definition  3  (Positive  Orbit).  The  positive  orbit,  or  reachable  set,  of  the  solution  ofDef  1,  x{f)  is 
defined  as 

0^{xfi  =  {a;(f)  \  teun[0,  +CX)]}  c  . 

In  the  presence  of  an  open  evolution  domain  H  C  we  require  that  x^  G  H  and  we  restrict 
the  orbit  0~^{xfi  to  H,  that  is,  we  are  only  interested  in  the  portion  of  the  trajectory  that  remains 
inside  H. 


0'^{xfi\H  =  {^{t)  \t  eU  n  [0, -i-cx)]  aW  e  [o,t] :  x{t')  e  H}  . 

Definition  4  (Ideal).  An  ideal  I  is  a  subset  o/M[a;]  that  contains  the  polynomial  zero  (0),  is  stable 
under  addition,  and  external  multiplication.  That  is,  for  all  hi,h2  G  I,  the  sum  /ii  +  /i2  G  I;  and 
ifh&I,  then,  qh  G  I,  for  all  q  G  M[a;]. 

For  a  finite  natural  number  r,  we  denote  by  {hi, . . . ,  hr)  the  subset  of  M[a;]  generated  by  the 
polynomials  {hi, hr},  i.e.  the  set  of  linear  combinations  of  the  polynomials  hi  (where  the 
coefficients  are  themselves  polynomials): 

{hi,...,  hr)  =  <  ^  qihi  \qi,...,qre  M[a;] 

I  i=i 
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By  Def.  4,  the  set  {hi, ,  hr)  is  an  ideal.  More  interestingly,  by  Hilbert’s  Basis  Theorem  [17],  any 
ideal  I  of  the  Noetherian  ring  M[a;]  ean  be  generated  by  a  finite  set  of  polynomials,  {hi, . . .  ,hr}, 
so  that  I  =  {hi, . . . ,  hr). 

Definition  5  (Variety  or  Algebraie  Set  or  Zeros  Set).  Given  Y  C  M[a;],  the  variety  (over  the  reals), 

V  (Y),  is  a  subset  of  MY  defined  by  the  common  roots  of  all  polynomials  in  Y.  That  is, 

V{Y)  =  [xeM^l^he  Y,  h{x)  =  0}  . 

V (■)  ean  be  thought  of  as  an  operator  that  maps  subsets  of  M[a;]  to  subsets  of  In  general,  the 
map  V(-)  is  not  injeetive  even  when  applied  to  ideals:  two  distinet  subsets  of  M[a;]  ean  be  mapped 
to  the  exaet  same  variety.  For  instanee,  in  M[a;i,a;2],  the  ideals  Ji  =  {xi,xl)  and  I2  =  {x\,X2), 
are  mapped  to  the  point  (xi,  X2)  =  (0, 0)  (whieh  is  a  variety).  The  ideals  Ii  and  I2  are  distinet  and 
ineomparable:  the  polynomial  Xi  G  Ii  is  not  in  I2  but  X2  G  I2  is  not  in  Ii. 

Definition  6  (Vanishing  Ideal).  The  vanishing  ideal  (over  the  reals),  I{S),  of  S  C  M'^  is  the  set  of 
all  polynomials  that  evaluates  to  zero  for  all  x  G  S: 

I{S)  =  [h  G  M[a;]  I  Va;  G  h(x)  =  0}  .  (13) 

The  set  I{S)  C  M[a;]  is  an  ideal  as  it  satisfies  the  requirements  of  Def.  4.  Likewise,  we  ean 
think  of  /(■)  (Def.  6)  as  a  non-injeetive  operator  that  aets  on  subsets  of  For  instanee,  the  two 
intervals  [1,2]  and  [—2,  —1]  are  subsets  of  M  mapped  to  the  same  ideal,  namely  (0).  However, 
when  restrieted  to  varieties,  the  operator  /(■)  is  injeetive. 

We  state  the  following  well-known  result  (see,  e.g.  [8,  Chapter  4,  Theorem  7])  for  eonvenienee 
as  it  permits  to  switeh  baek  and  forth  between  varieties  of  M”  and  ideals  of  M[a3]. 

Proposition  3  (Ideal- Variety  Correspondenee).  For  any  ideals  Ii  and  1 2  o/M[a;],  if  Ii  C  I2,  then 
C(/i)  Y  V(l2).  Likewise,  for  any  varieties  Vi  and  V2  o/M”,  ifVi  C  V2,  then  /(Li)  Y  /(V2). 
Furthermore,  for  any  variety  S,  we  have  V  (I  (S))  =  S  and  for  any  ideal  Y ,  wehaveY  C  I(V{Y)). 

The  Zariski  elosure  (D^(xfi\H  of  the  set  0^(xfi\H  is  the  variety  of  the  vanishing  ideal  of 

6+{xfi\H  =  V{I{0^{xfi\H))  ■  (14) 

That  is,  (D^(xfi\H  is  defined  as  the  set  of  all  points  that  are  eommon  roots  of  all  polynomials  that 
are  zero  everywhere  in  0^{xfi\H. 

Proposition  4  (Soundness  of  Zariski  Closure).  0^(xf)\H  ^  • 

Proof  All  points  of  0^{xfi\H  are  roots  of  some  polynomial  in  its  vanishing  ideal  I{0^{xfi\H) 
(Def.  6),  and  all  roots  of  all  polynomials  m.I{0^{xf)\H)  are  in  (D+{xf)\H  (Def.  5).  Thus,  0^{xf)\H  C 

V{I{0^{xfi\H))  =  6+{xfi\H^.  □ 

"^NB:  If  we  use  an  algebraically  closed  field  instead  of  M,  the  operators  V{.)  and  /(.)  form  a  Galois  connection. 
One  can  therefore  talk  about  exact  abstraction,  where  subsets  of  the  space  are  abstracted  by  varieties.  Since  we  use 
the  real  numbers  field,  which  is  not  closed,  we  technically  only  have  a  concretisation-based  abstraction  [7]. 
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Lie  derivatives  (Eq.  (3))  are  elosely  related  to  time  derivatives.  In  faet,  they  are  equal  when 
evaluated  on  the  solution  x{t). 

Lemma  3  (Derivation).  Let  h  G  ]R[a3].  Then,  the  Lie  derivative  of  h  along  the  vector  field  p  is 
exactly  equal  to  the  time  derivative  ofh{x(t)). 


dh{x(t)) 

dt 


h  . 


Proof.  The  lemma  follows  from  the  ehain  rule:  the  polynomial  h  is  seen  as  a  funetion  of  x  whieh 
is  in  turn  a  funetion  of  t  (when  x{t)  is  the  solution  of  the  initial  value  problem  (i  =  p,  a;(0)  =  xfi. 
Thus, 

h  =  • 

□ 


The  time  derivation  gives  an  analytie  point  of  view,  whereas  the  Lie  derivative  is  purely  alge- 
braie  and  makes  explieit  the  link  to  the  veetor  field.  Lie  derivation  allows,  therefore,  to  eompute 
symbolieally  the  time  derivative  of  any  polynomial  /i  G  M[a;] :  it  only  requires  the  partial  derivatives 
of  h  and  the  veetor  field  p. 

Definition  7  (Real  Ideal  [4,  Definition  4.1.3]).  An  ideal  I  o/M[a3]  is  said  to  be  real  if  and  only  if 
for  every  sequence  qi, . . .  ,qr  of  elements  o/M[a;],  we  have 

gi  H - Vql  el  — )■  g*  G  /,  /or  f  =  1, . . . ,  r  . 

In  partieular,  all  vanishing  ideals  are  real  ideals. 

Lemma  4.  The  vanishing  ideal  I{S)  of  any  S'  C  is  a  real  ideal. 

Proof.  If  the  polynomial  +  ■  ■  ■  +  is  in  / (S'),  for  some  gi, . . . ,  g^  G  M[a;],  then  its  set  of  roots 
eontain  S'  (Def.  6).  However,  we  have  the  following  equivalenee  over  the  reals 

gi  H - h  g^  =  0  GG  gi  =  0,  for  f  =  1, . . . ,  r  . 

Thus,  a  root  of  the  polynomial  g^  +  ■  ■  ■  +  g^  is  also  a  root  of  the  polynomials  g*,  for  f  =  1, . . . ,  r. 
This  means  that  g^  G  /  (S')  for  f  =  1, . . . ,  r.  By  Def.  7, 1  (S')  is  a  real  ideal.  □ 

In  M[a;],  real  ideals  have  an  important  property,  they  are  fixed  under  the  mapping  I{V{-))  (see 
Def.  6  and  Def.  5). 

Proposition  5  (Real  Nullstellensatz  [4,  Theorem  4.1.4]).  Let  Y  be  an  ideal  o/M[a;].  Then,  Y  = 
I{y  (F))  if  and  only  ifY  is  real. 

Definition  8  (Invariant  Regions  subjeet  to  evolution  domain  eonstraints).  The  region  S'  C  is 
(positively)  invariant  for  the  vector  field  p  subject  to  the  evolution  domain  constraint  H  if  and  only 

if 

yx,esnH,o^ixfi\HYS  . 
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In  particular,  we  focus  on  invariant  algebraic  sets,  that  is,  where  S'  is  a  variety.  This  choice 
is  essentially  motivated  by  the  interesting  algebraic  properties  of  varieties.  As  a  matter  of  fact, 
when  S'  is  a  variety,  the  (intractable)  orbit  0~^{x^)\h  in  Def.  8  can  be  equivalently  substituted  by 
its  closure  allowing  a  powerful  algebraic  handle  for  invariant  varieties. 

Lemma  5.  The  variety  S  is  a  positive  invariant  variety  for  the  vector  field  p  subject  to  the  evolution 
domain  constraint  H,  if  and  only  if 

yx,  eSnH,6+ixfi\H^S  . 

Proof  If  S'  is  an  invariant  variety  subject  to  H  then,  for  all  x^  &  S  r\  H,  0^{xi)\h  ^  S'  (Def.  8). 
However,  (D+{xj)\H  is  the  smallest  variety  containing  0^{xi)\h.  Therefore,  0^{xj)\H  ^  S'. 

On  the  other  hand,  since  0^{xj)\H  ^  (Prop. 4),  then  (D+{Xi)\h  ^  S'  implies 

0+{xj)\H  <^S.  □ 

We  state  an  important  property  of  the  vanishing  ideal  I{0^{xj)\H)-  Similar  results  are  known 
under  different  formulations  ([32,  Theorem  3.1],  [29,  Lemma  3.7]  and  [13,  Proposition  3]). 

Proposition  6.  I{0^{xj)\H)  A  a  differential  ideal  for  2p,  i.e.  it  is  stable  under  the  action  of  the 
2,p  operator:  for  all  h  G  2jp{h)  G  I{0^{xi)\h). 

Proof  Let  I  denote  I{0^{xj)\H).  Given  h  e  I,  we  prove  that  £,p{h)  E  I.  If  h  is  in  I,  then  the 
vector  x{t)  is  a  root  of  the  polynomial  h{x).  This  means  that  the  real- valued  function  h{x{t)) — 
obtained  by  substituting  xmhhy  the  solution  x{f) — is  a  constant  function  and  is  actually  equal  to 
zero  over  an  open  interval  containing  0.  The  existence  of  such  an  open  interval  follows  immediately 
from  three  facts:  x^  G  H,  x{t)  is  defined  over  an  open  interval  U  containing  0,  and  that  H 
is  an  open  set.  Its  time  derivative  is  therefore  also  zero  for  all  x{t)  G  0^{xfi\H.  Since  the 
time  derivative  of  h{x{f))  corresponds  exactly  to  the  Lie  derivative  of  h,  it  follows  that  for  all 
x{t)  G  x{t)  is  a  zero  of  £,p{h) — seen  as  a  polynomial  of  M[a;].  Therefore,  2,p{h)  G  I, 

by  definition  of  /.  □ 

Notice  that  the  fact  that  H  is  an  open  set  plays  a  crucial  role  in  this  proposition.  In  fact  the 
statement  does  no  longer  hold  for  an  arbitrary  (or  even  closed)  set  H. 

Example  5.  Consider  the  vector  field  p  =  {—X2,xi)  and  the  evolution  domain  constraint  H  :  = 
xi  <  —1.  When  x^  =  (—1,0),  0^{xi)\h  is  reduced  to  one  point,  namely  (—1,0)  and  therefore, 
I{0^{xfj\H)  =  +  f,X2).  The  polynomial  h  =  X2  is  trivially  in  {xi  +  l,a;2),  however,  its  Lie 

derivative  2p{h)  =  Xi  is  not.  This  suggests  that  the  proposition  may  fail  whenever  x,,  is  on  the 
boundaries  of  H. 

A.2  Proof  of  the  Main  Result 

The  differential  radical  of  an  ideal  generated  by  one  polynomial  (principal  ideal)  (h)  can  be  ex¬ 
tended  to  a  generic  ideal  J  =  (hi, . . . ,  hr)  C  M[a;].  Since  the  ring  of  polynomials  over  M  is 
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Noetherian,  the  following  chain  of  ideals: 

(Ai, ....  hr)  C  {hi, ....  hr,  iji’Hhi),  ■  ■  .  ,  S-p\hr)} 

C  ■  ■  ■  C  {hi,  ...,hr,..  .  -'>(Al),  .  .  . 

has  necessarily  a  finite  length.  The  construction  of  such  ascending  chain  is  very  similar  to  the 
construction  of  the  radical  of  an  ideal^,  except  with  higher-order  Lie  derivatives,  £,p\hj),  in  place 
of  higher  powers  of  polynomials,  /i*.  This  motivates  the  following  definition. 

Definition  9  (Differential  Radical  Ideal).  For  (/ii, . . . ,  hr)  C  M[a;],  letl  <  N  <  oobe  the  smallest 
natural  number  such  that: 

Vi  =  l,...,r  4">(Aj)e(Ai,..., A,,..., .  (15) 

Wh  call  the  ideal 

V{hl,---,hr)  =  {hu  ...,hr,...,  •  •  •  ,  (16) 

the  differential  radical  ideal  ofhi,...,hr.  N  will  be  referred  to  as  the  differential  radical  order,  or 
simply  order,  of  . . . ,  hr). 

Def.  9  extends  the  concept  of  differential  radical  order  introduced,  for  one  polynomial,  in  [13, 
Definition  8].  Differential  radical  order  is  akin  to  the  concept  of  rank  used  in  [21,  Theorems  14  & 
15]. 

Theorem  3  (Conjunctive  Differential  Radical  Characterization).  Let  hi, . . .  ,hr  G  M[a:]  and  let  H 
denote  some  open  evolution  domain  constraint.  Then,  the  conjunction  hi  =  0  A  ■■■  A  hr  =  0,  is 
invariant  under  the  flow  of  the  vector  field  p,  subject  to  the  evolution  constraint  H,  if  and  only  if 

r  r  N—1 

ffh/\A,=0^/\  /\fl<;>(A,)=0  .  (17) 

j=l  j=l  i=l 

where  N  denotes  the  order  of  the  conjunction. 

Proof.  The  proof  follows  the  same  steps  of  [13,  Theorem  1]  while  generalizing  it  to  higher- 
dimensions.  Typically,  the  vector  g  below  is  formed  by  concatenating  r  vectors,  and  the  matrix 
A{t)  is  a  block  matrix. 

Necessary  condition.  Let  {hi, ...  ,hr)  FI  {xj)\H)-  By  Prop.  6,  all  higher-order  Lie  deriva¬ 
tives  of  all  hj  are  also  in  Eq.  (17)  follows  from  the  fact  that  all  polynomials  of 

I{0^{xi)\h)  vanish  on  all  points  of  0^{xj)\H,  in  particular  for  since  G  0^{xj)\H- 

Sufficient  condition.  We  prove  that  if  Eq.  (17)  is  satisfied  then  hfixf))  =  0, . . . ,  hr{x{t))  =  0 
for  all  x{t)  G  0^{xj)\H,  which  implies  that  the  ideal  {hi, ...  ,hr)  F  I{0~^{xfi\H)  by  definition 

^For  a  principal  ideal,  {h),  the  construction  of  its  radical  ideal,  if  {h)  consists  of  augmenting  {h)  by  all  high  powers 
N  of  the  generating  element  h. 
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of  I{0^{x^)^h)  (Def.  6).  Recall  that  U  is  the  domain  of  definition  (some  open  interval  of  M)  for  t 
of  the  solution  x{t).  We  will  denote  by  U\h  the  restriction  of  U  to  H:  U\h  =  {t  \  x{t)  G  if}. 

We  define  the  real  functions  — )■  M  by:  fj{t)  =  hj{x{t)).  We  want  to  prove  that 

the  functions  /,  are  identically  zero  on  U\h-  Since  N  is  the  order  of  {hi, . . . ,  hr),  by  Eq.  (15) 
(Def.  9),  for  each  hj,  there  exists  a  vector  of  polynomials  qij{x)  such  that 

7V-1 

-  E «« ■  .... =  0 .  (18) 

i=0 

Let  ctij  :  U\H  — ^  t  i— ^  The  equality  of  Eq.  (18),  together  with  the  initial  value 

condition  given  by  Eq.  (17),  can  be  transformed  into  the  following  homogeneous  higher-order 
higher-dimension  linear  differential  equation. 

N-l 

A, (()/<■>(«)  =0, 

where  /  =  {fi, . . . ,  fr)  and  the  r  x  r  square  matrices  Ai{t)  are  such  that  the  jth  row  of  Ai{t)  is 
the  vector  cxij. 

The  newly  defined  system  in  Eq.  (19)  can  be  seen  as  an  iVr  dimensional  linear  nonautonomous 
(Ai{t)  are  time  dependent)  system  using  the  encoding  g  =  . . . ,  that  is,  g  is  the 

vector  obtained  by  concatenating  the  N  vectors 

g  -  A{t)g  =  0,  (20) 


where, 

0  4  0  ■  ■  ■  0 

0  0  4  ■  • .  : 

;  ;  ■•.  ■•.  0 

0  0  ■  ■  ■  0  4 

Aiiit)  Aiit)  ■■■  A]si-2{t)  Am-iif) 

Ir  denotes  the  identity  matrix  of  dimension  r.  In  the  newly  defined  linear  system  of  Eq.  (20),  A{t)g 
is  globally  Lipschitz  continuous,  w.r.t.  g.  That  is,  there  exists  a  global  Lipschitz  constant,  namely 
||4(f) ||,  the  induced  norm  of  on  the  space,  such  that,  for  all  t: 

\\A{t)gi-A{t)g2\\<\\A{t)\\\\gi-g2\\  ■ 


By  Cauchy-Lipschitz  theorem  [20]  (see  [37,  Chapter  14,  Theorem  VI]  for  the  multi-linear  case), 
there  exists  a  unique  solution  g{t)  defined  on  the  entire  interval  U\h  {Aiit),  and  hence  A{t),  are 
not  defined  outside  U\Hfiy  definition),  that  satisfies  the  initial  condition  gr(0)  =  0.  However,  the 
null  function,  g{t)  =  0  is  an  obvious  solution  to  Eq.  (20),  which  satisfies  g((0)  =  0.  Hence,  g{t)  is 
identically  zero  for  all  t  G  U\h-  Since  g  =  . . . ,  ,  by  Lem.  3,  for  alH  =  0  . . .  iV  —  1, 

for  all  j  =  1 . . .  r,  £,p\hj){x{t))  =  0  for  all  x{t).  Therefore,  all  the  polynomials  hj  as  well  as  all 
their  Lie  derivatives  vanish  on  the  set  0^{xi)\h  and  are  hence  members  of  / {0^{x^)\h)-  D 
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We  finally  prove  Theorem  3.  For  convenience,  we  first  recall  the  theorem. 

Theorem  (Conjunctive  Differential  Radical  Characterization).  Let  hi, . . .  ,hr  G  M[a3].  Then,  the 
conjunction  /ii  =  0  A  ■  ■  ■  A  =  0,  invariant  under  the  flow  of  the  vector  field  p  subject  to  the 
evolution  domain  constraint  H,  if  and  only  if 

r  r  TV— 1 

(i/  A  A  h,  =  o)  -+  A  A  =  0  ■  (21) 

j=l  j=l  i=l 

where  N  denotes  the  order  of  the  ideal  {hi, . . . ,  hfl. 

Proof  Necessary  Condition.  Letaj^  G  Af  be arootof  all  Aj,  j  =  1 . . .  r  (i.e.  G  V{{hi, . . . ,  hfl)). 
If  C((Ai, . . . ,  hr))  is  an  invariant  variety  subject  to  H,  then  by  Lem.  5 

V{I{0^{x,)\h))  =  0+{x,)\H  C  V{{hi,  ...,  hr)), 

and  therefore  I{V{I{0~^{xi^)\h)))  5  A(C((Ai, . . . ,  K)))  (Prop.  3). 

Weknow  that  J(L((Ai, . . .  ,hr)))  ^  (hi, . . .  ,hr)  and  that  J(C  {I{0'^{xj)iH)))  =  I{0^{Xc)\h) 

(from  Lem.  4, 1{0~^{xj)^H)  is  a  real  ideal,  the  equality  follows  from  the  real  Nullstellensatz  stated 
in  Prop. 5),  hence  I{0~^{x^)\h)  ^  {hi, . . .  ,hr).  By  Theorem ??,  this  implies  Eq. (17),  and,  there¬ 
fore,  Eq.  (21)  holds. 

Sufficient  Condition.  The  initial  condition  ar^  satisfies  Eq.  (17)  of  Theorem??  by  hypothesis, 
which  implies  {hi, ...  ,hr)  C  I{p^{xj)\H)  by  Theorem??.  But  then  by  Prop.  3,V{{hi, . . .  ,hr))  ^ 
V{I{0~^{xf\H))  =  0+{xf\H-  The  conclusion  follows  by  Eem.  5:  V{{hi, . . . ,  A,.)  is  an  invariant 
region  subject  to  the  evolution  domain  H.  □ 

Eq.  (21)  can  be  restated  using  sequent  calculus,  where  F  \-  G  means  that  whenever  the  boolean 
formula  F  (antecedent)  is  satisfied,  then  the  boolean  formula  G  is  true.  Eq.  (21)  can  therefore  be 
rewritten  as  follows: 

r  r  N—1 

ffh  Afc,  =  o^  A  A4'’(fc,)  =  o . 

j=l  j=l  i=l 

This  reformulation — used  in  Theorem  3 — is  more  suitable  for  the  main  theme  of  the  presented 
paper:  developing  and  extending  proof  calculus  for  hybrid  systems. 
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B  Benchmarks 


For  all  examples  the  constraint  evolution  domain  H  is  set  to  For  each  problem,  The  left  hand 
side  equation  gives  the  candidate  to  check.  The  right  hand  side  gives  the  vector  field  p. 


1 


xi=0 

Xi  =  Xl 

2 

xi=0 

Xl  =  Xl 

3 

xi  — 1=0  A  xi+l=0 

Xl  =  {xi  -  l)(xi  +  l)(xi  +  3) 

4 

xi  — 1=0  A  X2+l=0 

Xl  =  (xi  —  1)X2 

X2  =  X2(X2  +  1) 

5 

xi  — 1=0  A  a;2  — 1=0 

x'l  =  (a;i  —  l)a:iX2 

X2  =  (x2  —  l)a;| 

6 

xi  — 1=0  A  0:3— 4=0 

x'l  =  (xi  —  1)X3 

X2  =  XiX2 

x's  =  Xi(x3  -  4) 

7 

xi=0  A  a;2=0 

x'l  =  X^-\-  xf(x2  —  Xl) 

X2  =  —2xiX2(2Xi  X2  —  3) 

8 

xi  — 1=0  A  X2+l=0  A  X3— 4=0 

Xl  =  {xi  -  ly 

X2  =  Xl(x2  +  1) 

^3  =  a;2(a;3  -  4) 

9 

xi  — 1=0  A  a;2  — 1=0  A  X3— 4=0 

a;i  =  (a;i  —  1)0:2 

X2  =  (X2  —  1)2:2 

2:3  =  a:i  (x3  —  4) 

10 

xi  — 1=0  A  0:3— 4=0 

2:1  =  (a:i  -  1)0:3 

0:2  =  X2 

X3  =  Xl  (X3  -  4) 

11 

xi  — 1=0  A  a;2+l=0  A  X3— 4=0  A  0:4— 4=0 

x'l  =  (0:1  —  1)X2 

2:2  =  a:i(o:2  +  1) 

X3  =  Xl  (x3  —  4) 

2:4  =  (2:4  —  4)^ 

12 

xi  — 1=0  A  a;2  — 1=0  A  X3— 4=0  A  0:4  — 1=0 

2:1  =  (2:1  —  1)X2 

2:2  =  (2:2  —  1)2:2 

2:3  =  a:i  (x3  —  4) 

X4  =  0:1  (0:4  —  1) 

13 

xi  — 1=0  A  0:3— 4=0  A  X4— 4=0 

2:1  =  (2:1  —  1)X2 

2:2  =  2:2 

X3  =  (x3  —  4)0:3 

0:4  =  0:1  (0:4  —  4) 

14 

30 


xi  — 1=0  A  X2+l=0  A  a;3— 4=0  A  0:4— 4=0  A  X5  — 

2=0 

0:1  =  (0:1  -  1)X2 

0:2  =  0:1  (0:2  +  1) 

0:3  =  0:2  (0:3  -  4) 

0:4  =  (0:4  —  4)® 
o:'5  =  (0:5  -  2)® 

15 

xi  — 1=0  A  X2  — 1=0  A  0:3— 4=0  A  a;4  — 1=0  A  0:5+ 

2=0 

XI  =  (0:1  -  1)^ 

0:2  =  {X2  -  1)® 

0:3  =  0:2  (0:3  -  4) 

0:4  =  0:2  (0:4  -  1) 

0:5  =  0:2  (0:5  +  2) 

16 

xi  — 1=0  A  0:3— 4=0  A  X4— 4=0  A  a;5  — 1=0 

0:1  =  (0:1  —  1)X2 

0:2  =  0:1 

0:3  =  0:2  (0:3  -  4) 

X4  =  X2  {X4  —  4) 

0:5  =  0:1  (0:5  -  1) 

17 

Xj+ajl+Xg  — 1=0  A  0:3=0 

Xi  =  Xi(  —  xf  —  X2  +  1)  —  X2 

X2  =  Xl  +  X2(  — —  X2  +  1) 

X3  =  X3 

18 

Xj+o;|  — 1=0  A  X3=0 

Xl  =  Xl(  — X^  —  X2  +  1)  —  X2 

X2  =  Xl  +  X2(  — X^  —  X^  +  1) 

X3  =  X3 

19 

Xj+o;|  — 1=0  A  X3— o;i=0 

Xl  =  — X2 

X2  =  X3 

X3  =  -X2 

20 

xiX3+a;3  — 1=0  A  X2— a;j=0 

0:1  =  0:2  +  0:3 

0:2  =  20:10:2  +  20:10:3 

X3  =  —0:3  —  0:20:3 

21 

xf+x^—X2=0  A  0:3=0 

Xl  =  —2X2 

X2  =  — 3xj  —  2xi 

X2,  =  — XS 


22 

XI  =  (ixzX(,{xQx‘^  +  xi)'^  —  24x1X4X5 
X2  =  3xI{xqxI  +  xi)^ 
a;3  =  —3x2(xr  —  3)^ 

3a;i 

X4= 

=  189x®  +  120:40^1  —  '^{xqx^  +  xi)^ 

—  2{3x3X2  +  77x2  +  l){—lQx\  +  xi  77x1X2  +  3xiX2X3) 
xq  =  {x7  —  3)^  —  2(3a^3a^i  +  77xi){—16x‘^  +  xi  +  77xiX2  +  3X1X2X3) 
X7  =  —QxiX2{—^^x\  +  Xl  +  77X1X2  +  30:1X22:3) 

X3  =  12xix|  +  64x4(— 16x|  +  xi  +  77xiX2  +  3X1X2X3) 

X9  =  — X9 


3 

27x1+12x4x1x1  — (xQxl+xi)^ +X2{x-^ —3)^  —  ^  — 
(— 16a;|+xi+77xiX2+3a;ia;2a;3)^=0  A  xg=0 
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(xix^  —  12)(xf+x^+x^+x^+x§+x^+x^+x^  —  l)= 
0  A  xg=0 


25 

—  a—xf+X2—X3=0  A  —xf+3x2+X3=0 

26 


JlXiX4  +  J2X2X5+J3X3Xg=0 


27 


—  a—JxixeXi+(x‘^+X2)x3=0  A  4a;iX4+4x2a;5+ 

X3Xe=0 


28 


a:i  =  — 2(a;ia;2  —  12)x5 
X2  =  — 2(a;ia;|  —  12)x6 
X3  =  — 2(a;ia;2  —  12)x7 
X4  =  — 2(a;ia;|  —  12)xg 

x's  =  (xf  +  X2  +  Xg  +  x^  -f-  x^  +  Xg  +  Xy  +  Xg  —  l)x2  +  2xi (xixt 
x'e  =  2a:2(xia;2  —  12)  +  2xiX2{xf  +  X2  +  Xg  +  x^  +  Xg  +  Xg  +  Xy 
X7  =  2(xix|  —  12)a;3 
xg  =  2(xix|  —  12)a;4 
xg  =  xg 


XI  =  2a;3  —  2xy 
X2  =  —3x4x2 

X3  =  4a:ia;3  —  2a:i(2xj  —  9x|) 


_  (42  — 43)^2  ^3 —^6^2 +3:5  A3 


a;i  = 


4i 


4:2  = 


_  (43-4i)3!i3;3+3:6Ai— 3:4X3 


42 


4:3  = 


_  (Jl—J2)xiX2—x^Xi  +X4X2 


J3 


X4  =  X3X5  -  X2XQ 

X^  =  XlXQ  —  0:30^4 

0^6  =  X2X4  —  XlXs 


■  _  3X2X3 

•^1  —  4 

X2  =  \(JxeX4  -  3xia;3) 
X3  =  —JxgXi 

X4  =  X3X3  -  X2XQ 
X3  =  X4Xe  —  X3X4 
XQ  =  X2X4  —  X1X5 


{x\+x\)x3—JxiX3X4=f)  A  4xiX4+4a:24;5+X3a;6= 
0  A  o(xj+a;|)®  — 2xj=0 


■  _  33:23:3 

4-1  —  4 

X2  =  \(Jx6X4  -  3xia;3) 
X3  =  -JxgXi 
X4  =  X3X3  -  X2X3 
X3  =  XI  xe  —  X3X4 

x'e  =  X2X4  —  X4X3 
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X4+X5  — 1=0  A  X6— X4=0  A  x|+X5+l=0 

X4  =  —X5 

X5  =  XQ 

x'e  =  —X5 
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_ _  /  ^2  ^2  1  1  \ 

x'l  =  X4(  —  xf  —  Xy  +  1)  —  X2 
4:2  =  4;i  +  X2(— 4;^  —  +  1) 


4;4+a;|  — 1=0  A  4:3=0  A  4:|+a;g  — 1=0  A  4:6— 4:4=0 


X5  =  Xe 
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4:2X4+4:24:4—3x2X3+1=0  A  X3=0 
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x'e  =  — X5 


x'l  =  (xi  -  l)(xi  +  1) 
X2  =  (X2  -  l)(x2  +  1) 

X3  =  -X3 


-12) 

+  x|  -  1) 
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Xl3=0  A  (x^+x^+x^  —  iy‘^^  +  (xfg+2xgxfQ  + 

6xfQ+2xgxio+Xg—3)^^+{x2xf+X2xf—3x2x1  + 
l)^®+(x|— 3x|a;|a;|+x|a;|+x|x|)^"‘+(a;iixi2+ 

Xl2-1)^=0 


XI  =  -  292x7  (x|  +  x2  +  x|  -  1)1-*® 

X2  =  —  292x8  (xg  +  x^  +  Xg  —  1)^'*® 

x'a  =  -42(2x|g  +  2xio  +  2xg)(xfg  +  2xgx®g  +  ex^g  +  2xgxio  +  x|  -  S)"*! 
X4  =  -42(4xfg  +  6xgx^g  +  12x10  +  2xg) 

X  (xfg  +  2xgxfg  +  6xfg  +  2xgxio  +  x|  —  3)"*^ 
x's  =  -2xi2(xiiXi2  +  Xi2  -  1) 

X6  =  -2(xii  +  l)(xiixi2  +  X12  -  1) 

xV  =  26(2xix|  +  4x®x|  —  6xix|)(x2x|  +  XjXj  —  3x|xj  +  1)^® 

x's  =  26(2x2x|  +  4x1x1  —  6x2Xj)(x2x|  +  XjXj  —  3x|xj  +  1)^® 

Xg  =  14(2x3x|  +  4x|x|  —  6x3Xgx|)(x5  —  3x3x|xg  +  XgX^  +  XgxD^® 

xio  =  14(2x4X3  +  4X4X3  —  6x4XgX3)(x|  —  3x3x|xg  +  XgX^  +  Xgxl)^® 
xii  =  14(6x5  —  6x3x|x5)(x5  —  3x3x|x5  +  XgxI  +  Xgxl)^® 
xi2  =  292x6  (x|  +  x|  +  x|  —  l)^"'® 
xia  =  — X13 
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